[1308] in linux-security and linux-alert archive
[linux-security] About DNS again
daemon@ATHENA.MIT.EDU (Alexander O. Yuriev)
Wed Nov 20 14:56:49 1996
Old-X-Envelope-From: alex@bach.cis.temple.edu Wed Nov 20 12:06:08 1996
To: linux-security@redhat.com
Date: Wed, 20 Nov 1996 12:18:58 -0500
From: "Alexander O. Yuriev" <alex@bach.cis.temple.edu>
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
//////////////////////////////////////////////////////////////////////////
I have got a couple of messages stating that I am wrong and that the
resolver vulnerability sent to list by Oliver Friedrichs (oliver@secnet.com)
is a new one. Our discussion with Oliver outlined that even though it is
possible that this vulnerability was discussed during BOFs at conferences
such as LISA, SANS and NETSEC, neither a summary was ever made public, nor a
detailed description of attack was ever given.
The SNI Security Advisory posted to linux-security provided not only a really
good summary with an explanation of attacks targetting the resolver but also
provided a detailed description of them.
I appologise for blindly assuming that readers of the mailing list were
aware of these problems.
The following is an extract from the follow up message sent by Oliver
Friedrichs <oliver@secnet.com> (used with permission)
> The argument that I make (and the argument explaining the reason why we
> assumed it was new), is that Paul Vixie himself was not aware of this
> problem until we notified him. This is not to mention that CERT was not
> aware of the problem either. The other interesting fact is that the BIND
> resolver, up until the latest official release (and beta releases), has
> been vulnerable to this attack. The fix apparantly being made by fluke,
> after incorporating IPv6 support.
>
> I have also never seen any other reference to this anywhere else (yes
> there has been alot of talk about h_name problems in various places,
> causing string buffer overflows, yet not the h_length problem).
>
> I also feel it is important to point out that, this bug whether new or old
> has not been addressed. Even if the bug was discussed at SANS or elsewhere
> it does not change the fact that it is a very serious, very immediate
> threat. Effecting everything from personal workstations to corporate
> firewalls. Discussing it, e-mailing about it, or any other type of
> communication in limited forums will end with the bug still being a
> problem. With this in mind, we released the advisory.
Alex