LinuxPPC.org: Security Advisory -- bind

Feb 02, 2001, 07:59 (0 Talkback[s])

Package: bind
New Version: 8.2.3-0.6.x
Reference URL: http://www.securityfocus.com/vdb/?id=2302
http://www.securityfocus.com/vdb/?id=2304

Description:

BIND is a server program that implements the domain name service protocol. It is in extremely wide use on the Internet. Versions 8.2 and above of BIND contain a 'single byte' stack overflow that may be exploitable by remote attackers.

The vulnerability is present when BIND recieves queries via the UDP transport protocol. When a query is recieved, it is read from the datagram into a local buffer on the stack and then processed. This buffer is 512 bytes in length, the maximum amount of information that can be sent in a single UDP datagram.

When sending responses, BIND re-uses this buffer for creating the response. As BIND processes the request, it appends data to the DNS response (in the local buffer). The length of the DNS message as well as the number of bytes that can be written are kept track of using two variables.

When a transaction signature is included in the query, BIND skips normal processing of the request and attempts to verify the signature. If the signature is invalid, a TSIG response is appended to a location in memory that BIND thinks is the end of the message (based on the two variables described above). Unfortunately, since BIND has not processed the message normally, this location is far from where it should be. This can result in the TSIG response being written partially over the executing function's stack frame.

The TSIG response consists of fixed values, including zero-value bytes. If the least significant byte of the saved base pointer in the stack frame is overwritten (with a zero, for example), it could end up referencing memory under the control of the attacker.

If this happens, the attacker has control over the stack frame of the calling function. An arbitrary address supplied by the attacker inserted within this region of memory can be referenced as a return address when the calling function returns. If this address points to shellcode, it will be executed with privileges of named.

Download (Binaries):
bind-8.2.3-0.6.x.ppc.rpm
bind-devel-8.2.3-0.6.x.ppc.rpm
bind-utils-8.2.3-0.6.x.ppc.rpm

Download (Source):
bind-8.2.3-0.6.x.src.rpm

MD5 Checksums:
c79f635c632470923460d439bd0bc7c8 bind-8.2.3-0.6.x.ppc.rpm
8b88db66f43c0324d83770bb6e4c17c9 bind-8.2.3-0.6.x.src.rpm
0e38b579f5363708cb45ae03061cb5d3 bind-devel-8.2.3-0.6.x.ppc.rpm
6bd8ef3b54cbc0cde3442d79d4715246 bind-utils-8.2.3-0.6.x.ppc.rpm

Instructions: To update your packages, use

rpm -Fvh filename

for each RPM.
To verify each RPM, use

rpm --checksig filename

LinuxPPC.org's GPG key may be found here.
To resolve any package dependencies, please see rpmfind.net

Questions should be directed to jvagle@linuxppc.org