Buffer overflow reported by sscan

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Fri Mar 10 02:25:10 UTC 2000


> I'm a new bind admin and while learning about security I ran sscan
> (http://www.ben2.ucla.edu/~jsbach/) against my server. It reported :
> --<[ *VULN*: localhost: linux bind/iquery remote buffer overflow

	The code generates false positives.  It just attempts a
	valid inverse query of 1.2.3.4 and if it succeeds then says
	that the server is vulnerable.  Given that vulnerable servers
	and fixed ones both respond the same way to this query all
	it really is saying is that the server has fake inverse
	queries turned on (unless you are using net 1 internally).

> and in /var/log/messages I found the following:
> Mar  9 14:03:02 3gig modprobe: can't locate module üôÿ¿?

	Unrelated to BIND.
> 
> I am running redhat linux 6.0 with bind upgraded to the vendor supplied
> rpm (bind-8.2.2_P3-1) `named -v` shows:
> named 8.2.2-P3 Thu Nov 11 00:04:50 EST 1999
>        
> root at porky.devel.redhat.com:/usr/src/bs/BUILD/bind-8.2.2_P3/src/bin/named
> 
> I downloaded the latest source from www.isc.org compiled and replaced
> the named binary and reran sscan with the same results.
> 
> Is this a known problem?  I was not able to find any more info about it
> on the web.

        This was fixed in the BIND 8.1.2-T3B release.  From src/CHANGES

 365.   [security]      Missing bounds checking in inverse query handling
                        allowed an attacker to overwrite the server's stack.

	Mark

--
Mark Andrews, Nominum Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com



More information about the bind-users mailing list