[12567] in bugtraq
Re: your mail
daemon@ATHENA.MIT.EDU (Firstname Lastname)
Sat Nov 13 21:55:36 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9911121207150.11963-100000@thrash.clan-rum.org>
Date: Fri, 12 Nov 1999 12:25:54 -0500
Reply-To: teak@THRASH.CLAN-RUM.ORG
From: Firstname Lastname <teak@THRASH.CLAN-RUM.ORG>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199911110238.DAA24292@sofuku.monster.org>
On Thu, 11 Nov 1999, Anonymous wrote:
> Ooh, those pesky NXT records. Like I process those every day.
> Fascinating read in RFC 2535, but suppose I don't have any NXT
> records in my own zones, under what circumstances will my DNS server
> commit the sin of "the processing of NXT records"? In other words,
> are all of us vulnerable (even caching-only name servers if so, I
> imagine!), or only people with NXT records? This makes a big difference!
I won't go into exact details of exploiting the vuln. because it gets
kinda hairy, but it's a real threat.
I can get EIP on multiple versions of BIND. tested so far:
812-t3b, 812-t4b, 812, and 821
exploit has failed on a particular 812 binary i have, but a recent 812
binary (both of these bins compiled from source retrieved from isc.org)
was exploitable. go figure. i also have an 812-t3b binary which the
exploit does not work on. so far, i can't find a pattern as to which
versions of bind actually process NXT RR's. as i said, i had two binaries
of 812 release--one processed NXT RR's and the other didn't.
the overflow takes place processing *ANY* answer from another nameserver.
all the answer needs to contain is a properly formatted NXT record. it
doesn't matter whether it answers the question, but the answer name must
match the queried name.
nimrood
