Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » ISC Bind 8 Transaction Signatures Buffer Overflow Vulnerability

ISC Bind 8 Transaction Signatures Buffer Overflow Vulnerability

by platon on January 30th, 2001 BIND is a server program that implements the domain name service protocol. It is in extremely wide use on the Internet. Versions 8.2 and above of BIND contain a 'single byte' stack overflow that may be exploitable by remote attackers...


The vulnerability is present when BIND recieves queries via the UDP transport protocol. When a query is recieved, it is read from the datagram into a local buffer on the stack and then processed. This buffer is 512 bytes in length, the maximum amount of information that can be sent in a single UDP datagram.

When sending responses, BIND re-uses this buffer for creating the response. As BIND processes the request, it appends data to the DNS response (in the local buffer). The length of the DNS message as well as the number of bytes that can be written are kept track of using two variables.

When a transaction signature is included in the query, BIND skips normal processing of the request and attempts to verify the signature. If the signature is invalid, a TSIG response is appended to a location in memory that BIND thinks is the end of the message (based on the two variables described above). Unfortunately, since BIND has not processed the message normally, this location is far from where it should be. This can result in the TSIG response being written partially over the executing function's stack frame.

The TSIG response consists of fixed values, including zero-value bytes. If the least significant byte of the saved base pointer in the stack frame is overwritten (with a zero, for example), it could end up referencing memory under the control of the attacker.

If this happens, the attacker has control over the stack frame of the calling function. An arbitrary address supplied by the attacker inserted within this region of memory can be referenced as a return address when the calling function returns. If this address points to shellcode, it will be executed with privileges of named.

[Homepage]


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »