• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: ISC BIND Internal Memory Disclosure Vulnerability

Severity: HIGH

Description:

BIND is a server program that implements the domain name service protocol. It is in extremely wide use on the Internet, in use by most of the DNS servers.

The ISC has disclosed information about a vulnerability in BIND that may disclose memory contents to remote attackers. The vulnerability can be exploited if an attacker crafts a specially formed 'inverse query' that causes the behaviour to occur.

The memory disclosed is from the program's 'stack' region of memory, which stores internal-values related to execution as well as run-time/local variables. In addition to reading such information as environment-variables or function variables from the stack, it may also be possible for the attacker to make an assessment of the run-time memory layout.

This information could assist in more easily launched/successful platform/architechure and data-dependent attacks.

An example of this is the single-byte buffer overflow transaction signatures vulnerability in BIND (Bugtraq ID 2302). According to COVERT Advisory 2000-01 from Network Associates, it is possible to retrieve stack frames from BIND with this vulnerability. With this information, well-written exploit code can automatically know where a return address will be read from after a saved base pointer has been modified.

This hypothetical well-written exploit code can then automatically adjust the location of the replacement return address and exploit the vulnerability successfully (provided other conditions are met) on the first try.

As demonstrated above, such disclosed information may provide attackers with a cleaner, more efficient means of exploiting other vulnerabilities.

Affected Products:

• Caldera OpenLinux Desktop 2.3.0
• Caldera UnixWare 7.1.1
• Conectiva Linux 4.0.0
• Conectiva Linux 4.0.0 es
• Conectiva Linux 4.1.0
• Conectiva Linux 4.2.0
• Conectiva Linux 5.0.0
• Conectiva Linux 5.1.0
• Conectiva Linux 6.0.0
• Debian Linux 2.2.0
• Debian Linux 2.2.0 68k
• Debian Linux 2.2.0 alpha
• Debian Linux 2.2.0 arm
• Debian Linux 2.2.0 powerpc
• Debian Linux 2.2.0 sparc
• Debian Linux 2.3.0
• Debian Linux 2.3.0 68k
• Debian Linux 2.3.0 alpha
• Debian Linux 2.3.0 arm
• Debian Linux 2.3.0 powerpc
• Debian Linux 2.3.0 sparc
• HP HP-UX 10.10.0
• HP HP-UX 10.20.0
• HP HP-UX 10.24.0
• HP HP-UX 11.0.0
• HP HP-UX 11.0.0 4
• HP HP-UX 11.11.0
• IBM AIX 4.3.0
• IBM AIX 4.3.1
• IBM AIX 4.3.2
• IBM AIX 4.3.3
• ISC BIND 4.9.0
• ISC BIND 4.9.3
• ISC BIND 4.9.4
• ISC BIND 4.9.5
• ISC BIND 4.9.5P1
• ISC BIND 4.9.6
• ISC BIND 4.9.7
• ISC BIND 4.9.7-T1B
• ISC BIND 8.1.0
• ISC BIND 8.1.1
• ISC BIND 8.1.2
• ISC BIND 8.2.0
• ISC BIND 8.2.1
• ISC BIND 8.2.2
• ISC BIND 8.2.2 p1
• ISC BIND 8.2.2 p2
• ISC BIND 8.2.2 p3
• ISC BIND 8.2.2 p4
• ISC BIND 8.2.2 p5
• ISC BIND 8.2.2 p6
• ISC BIND 8.2.2 p7
• ISC BIND 8.2.3 Beta
• MandrakeSoft Corporate Server 1.0.1
• MandrakeSoft Linux Mandrake 6.0.0
• MandrakeSoft Linux Mandrake 6.1.0
• MandrakeSoft Linux Mandrake 7.0.0
• MandrakeSoft Linux Mandrake 7.1.0
• MandrakeSoft Linux Mandrake 7.2.0
• MandrakeSoft Single Network Firewall 7.2.0
• RedHat Linux 5.2.0 alpha
• RedHat Linux 5.2.0 i386
• RedHat Linux 5.2.0 sparc
• RedHat Linux 6.0.0
• RedHat Linux 6.0.0 alpha
• RedHat Linux 6.0.0 sparc
• RedHat Linux 6.1.0 alpha
• RedHat Linux 6.1.0 i386
• RedHat Linux 6.1.0 sparc
• RedHat Linux 6.2.0 E alpha
• RedHat Linux 6.2.0 E i386
• RedHat Linux 6.2.0 E sparc
• RedHat Linux 6.2.0 alpha
• RedHat Linux 6.2.0 i386
• RedHat Linux 6.2.0 sparc
• RedHat Linux 7.0.0 J alpha
• RedHat Linux 7.0.0 J i386
• RedHat Linux 7.0.0 J sparc
• RedHat Linux 7.0.0 alpha
• RedHat Linux 7.0.0 i386
• RedHat Linux 7.0.0 sparc
• S.u.S.E. Linux 6.0.0
• S.u.S.E. Linux 6.1.0
• S.u.S.E. Linux 6.1.0 alpha
• S.u.S.E. Linux 6.2.0
• S.u.S.E. Linux 6.3.0
• S.u.S.E. Linux 6.3.0 alpha
• S.u.S.E. Linux 6.4.0
• S.u.S.E. Linux 6.4.0 alpha
• S.u.S.E. Linux 6.4.0 ppc
• SCO eDesktop 2.4.0
• SCO eServer 2.3.0
• Trustix Trustix Secure Linux 1.0.0
• Trustix Trustix Secure Linux 1.1.0

References:

• CERT: CA-20001-02
• CORE Security: Bind TSIG exploit
• ISC: BIND Security
• ISC: ISC BIND
• Sun Microsystems: Sun Alert ID: 26965 - Domain Name Service Vulnerabilities

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.