Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » ISC Bind 8 Transaction Signatures Heap Overflow Vulnerability

ISC Bind 8 Transaction Signatures Heap Overflow Vulnerability

by platon on January 30th, 2001 BIND is a server program that implements the domain name service protocol. It is in extremely wide use on the Internet. Versions 8.2 and above of BIND contain a heap-corruption vulnerability that may be exploitable by remote attackers...


The vulnerability is present when BIND recieves queries via the TCP transport protocol. When a query is recieved, it is read from the TCP stream into a malloc()'d buffer.
When sending responses, BIND re-uses this buffer for creating the reply. As BIND processes the request, it appends data to the DNS response (in the malloc'd buffer). The length of the DNS message as well as the number of bytes that can be written are kept track of using two variables.
When a transaction signature is included in the query, BIND skips normal processing of the request and attempts to verify the signature. If the signature is invalid, a TSIG response is appended to a location in memory that BIND thinks is the end of the message (based on the two variables described above). Unfortunately, since BIND has not processed the message normally, this location is far from where it should be. This can result in the TSIG response being written beyond the boundaries of the allocated block of memory.
While this is a buffer overflow, it occurs in the 'bss' or 'heap' region of process memory. It cannot be exploited in the same way a stack overflow can be. In addition, this part of memory is not executable, therefore any shellcode must somehow be put in the stack.
The most likely way to exploit a vulnerability like this is through corruption of malloc() structures. If an attacker can overwrite the beginning of a malloc()'ed block of memory and have it remain intact until free() is called on it, arbitrary locations in memory can be overwritten with attacker supplied-values.
An attacker may, for example, overwrite a return address on the stack with a value pointing to shellcode somewhere in executable memory. When the function returns, the supplied shellcode will be executed with privileges of named (typically root).

[Homepage]


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »