Nope...I haven't seen anything yet either. Maybe someone else can enlighten us? ;) On Nov 16, 2011 9:05 PM, "Larry W. Cashdollar" <[email protected]> wrote:
> Thanks Michael! > I guess 'ISC is working on determining the ultimate cause by which a > record with this particular inconsistency is cached' is the part I'm > interested in reading about and there are no details yet.. > > > http://www.isc.org/software/bind/advisories/cve-2011-4313 > > On Nov 16, 2011 8:53 PM, "Larry W. Cashdollar" <[email protected]> wrote: > > > >> Hello list, > >> I am wondering if anyone has more details on the bind9 DoS that just > >> came > >> out? (CVE-2011-4313) from what I can tell it appears a negative cached > >> DNS > >> object with a valid RR response associated with it(which shouldn't > >> exist) > >> will cause a vulnerabile bind9 server to crash. > >> > >> See lines 1890 - 1896 of query.c > >> 1890 if (result == DNS_R_NCACHENXRRSET) { > >> 1891 dns_rdataset_disassociate(rdataset); > >> 1892 /* > >> 1893 * Negative cache entries don't have sigrdatasets. > >> 1894 */ > >> 1895 INSIST(! dns_rdataset_isassociated(sigrdataset)); > >> 1896 } > >> > >> > >> Since allowing recursive queries must be enabled for this to work the > >> attacker must force a vulnerable dns server to query a malicous DNS > >> server by asking it to look up an NXrecord for a domain the attacker > >> controls dns for. Sending a response of NXdomain but having actual DNS > >> results in the response. > >> > >> I am wondering if someone has seen a good write up out there? > >> > >> Thanks > >> -- Larry C$ > >> > >> > >> _______________________________________________ > >> Full-Disclosure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> Hosted and sponsored by Secunia - http://secunia.com/ > >> > > > > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
