[12546] in bugtraq
Re: your mail
daemon@ATHENA.MIT.EDU (Alain Thivillon)
Fri Nov 12 12:42:57 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <19991112052055.E10900@yoko.hsc.fr>
Date: Fri, 12 Nov 1999 05:20:55 +0100
Reply-To: Alain Thivillon <Alain.Thivillon@HSC.FR>
From: Alain Thivillon <Alain.Thivillon@HSC.FR>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199911110238.DAA24292@sofuku.monster.org>
Anonymous <nobody@REPLAY.COM> icrivait (wrote) :
> commit the sin of "the processing of NXT records"? In other words,
> are all of us vulnerable (even caching-only name servers if so, I
> imagine!), or only people with NXT records? This makes a big difference!
[ NB : I can be wrong, don't flame me :) ]
Examing diffs between 8.2.1 and 8.2.2PL3 show rewrite of code handling
external response to an NXT query coming from bind himself (see
bin/named/ns_resp.c). So i suppose, if your name server is public and
recusive, external attacker can query your bind for NXT record in
another zone. If he has control of name server of this zone, he can
send offending responses and trigger bug.
I suspect every public server with 8.2 <= bind < 8.2.3PL3 is vulnerable.
