J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: ISC Bind 8 Transaction Signatures Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

BIND is a server program that implements the domain name service (DNS) protocol. It is in extremely wide use on the Internet. Versions 8.2 and above of BIND contain a buffer overflow that may be exploitable by remote attackers.

When BIND recieves a query, it reads it into a buffer and then processes it. If the request came in via the UDP transport the query is read by the 'datagram_read()' function into the 'u.buf' buffer. This buffer is on the stack and is 512 bytes in length, the maximum amount of information that can be sent in a single query response. If the request came in via the TCP transport, the query is copied into a buffer pointed to by 'sp->s_buf'. This buffer is allocated via the 'malloc()' function on the heap and is 64KB in length.

When sending responses, BIND re-uses this buffer for creating the response. As BIND processes the request, it appends data to the DNS response. When it's finished it modifies the DNS header and sends the response (which has been created in the request buffer).

The length of the DNS message as well as the number of bytes that can be written are kept track of using two variables. 'msglen' is used to keep track of the amount of data in the buffer. 'buflen' is used to keep track of the amount of remaining free space in the buffer.

Starting with BIND 8.2 when a transaction signature is included in the query, BIND skips normal processing of the request and attempts to verify the signature via the 'ns_find_tsig()' function. If the signature is invalid, a TSIG response is appended to the buffer while BIND assumes that 'msglen' plus 'buflen' equal the size of the buffer.

As normal processing has been skipped 'msglen' plus 'buflen' are in fact almost twice the length of the buffer. Thus the TSIG record is written via ns_sign() beyond the boundaries of the buffer. This can result in the TSIG response being written partially over the executing function's stack frame or in overwriting malloc's internal variables.

The TSIG response consists of fixed values, including zero-value bytes. In the case of a request received via UDP were the buffer is on the stack the attacker may gain control over some portions of the stack frame of the calling function in the 'datagram_read()' function. In the Intel IA32 architecture it may be possible to overwrite the least significant byte of the of the saved frame pointer with a zero. This would result on most instances on the saved frame pointer pointing into the area of memory with the original DNS request which is under the control of the attacker. An arbitrary address supplied by the attacker inserted within this region of memory can be referenced as a return address when the calling function returns. If this address points to shellcode, it will be executed with privileges of named.

Predicting the result of the one byte overflow of the frame pointer can be made easier by using the BID 2321 vulnerability to retrieve the stack activation record of the 'datagram_read()' function. This information can be used to exactly calculate were the frame pointer will point to once it's least significant byte is overwritten with a zero value.

In the case of a request received via TCP where the buffer is in the 'bss' or 'heap' region of process memory, while this is a buffer overflow, it cannot be exploited in the same way a stack overflow can be.

One way to exploit the vulnerability in this case is through corruption of malloc() structures. If an attacker can overwrite the beginning of a malloc()'ed block of memory and have it remain intact until free() is called on it, arbitrary locations in memory can be overwritten with attacker supplied-values.

An attacker may, for example, overwrite a return address on the stack with a value pointing to shellcode somewhere in executable memory. When the function returns, the supplied shellcode will be executed with privileges of named (typically root).

This attack against the malloc() structures only work againsts implementations of this function that maintain the linkage structures in the same memory area used to allocate memory. Implementation known vulnerable to this type of attack include the ones in the IRIX libc library, the Linux glibc library, and the Solaris libc library.

Affected Products:

  • Caldera OpenLinux Desktop 2.3.0
  • Caldera UnixWare 7.1.1
  • Conectiva Linux 4.0.0
  • Conectiva Linux 4.0.0 es
  • Conectiva Linux 4.1.0
  • Conectiva Linux 4.2.0
  • Conectiva Linux 5.0.0
  • Conectiva Linux 5.1.0
  • Conectiva Linux 6.0.0
  • Debian Linux 2.2.0
  • Debian Linux 2.2.0 68k
  • Debian Linux 2.2.0 alpha
  • Debian Linux 2.2.0 arm
  • Debian Linux 2.2.0 powerpc
  • Debian Linux 2.2.0 sparc
  • Debian Linux 2.3.0
  • Debian Linux 2.3.0 68k
  • Debian Linux 2.3.0 alpha
  • Debian Linux 2.3.0 arm
  • Debian Linux 2.3.0 powerpc
  • Debian Linux 2.3.0 sparc
  • IBM AIX 4.3.0
  • IBM AIX 4.3.1
  • IBM AIX 4.3.2
  • IBM AIX 4.3.3
  • ISC BIND 8.2.0
  • ISC BIND 8.2.1
  • ISC BIND 8.2.2
  • ISC BIND 8.2.2 p1
  • ISC BIND 8.2.2 p2
  • ISC BIND 8.2.2 p3
  • ISC BIND 8.2.2 p4
  • ISC BIND 8.2.2 p5
  • ISC BIND 8.2.2 p6
  • ISC BIND 8.2.2 p7
  • MandrakeSoft Corporate Server 1.0.1
  • MandrakeSoft Linux Mandrake 6.0.0
  • MandrakeSoft Linux Mandrake 6.1.0
  • MandrakeSoft Linux Mandrake 7.0.0
  • MandrakeSoft Linux Mandrake 7.1.0
  • MandrakeSoft Linux Mandrake 7.2.0
  • MandrakeSoft Single Network Firewall 7.2.0
  • RedHat Linux 5.2.0 alpha
  • RedHat Linux 5.2.0 i386
  • RedHat Linux 5.2.0 sparc
  • RedHat Linux 6.0.0
  • RedHat Linux 6.0.0 alpha
  • RedHat Linux 6.0.0 sparc
  • RedHat Linux 6.1.0 alpha
  • RedHat Linux 6.1.0 i386
  • RedHat Linux 6.1.0 sparc
  • RedHat Linux 6.2.0 E alpha
  • RedHat Linux 6.2.0 E i386
  • RedHat Linux 6.2.0 E sparc
  • RedHat Linux 6.2.0 alpha
  • RedHat Linux 6.2.0 i386
  • RedHat Linux 6.2.0 sparc
  • RedHat Linux 7.0.0 J alpha
  • RedHat Linux 7.0.0 J i386
  • RedHat Linux 7.0.0 J sparc
  • RedHat Linux 7.0.0 alpha
  • RedHat Linux 7.0.0 i386
  • RedHat Linux 7.0.0 sparc
  • S.u.S.E. Linux 6.0.0
  • S.u.S.E. Linux 6.1.0
  • S.u.S.E. Linux 6.1.0 alpha
  • S.u.S.E. Linux 6.2.0
  • S.u.S.E. Linux 6.3.0
  • S.u.S.E. Linux 6.3.0 alpha
  • S.u.S.E. Linux 6.4.0
  • S.u.S.E. Linux 6.4.0 alpha
  • S.u.S.E. Linux 6.4.0 ppc
  • SCO eDesktop 2.4.0
  • SCO eServer 2.3.0
  • Trustix Trustix Secure Linux 1.0.0
  • Trustix Trustix Secure Linux 1.1.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.