ISC to Form Fee-based
BIND Information Exchange

ISP owners can't but a price tag on network security, but that's what one group is doing with an early alert service announcing system vulnerabilities. Issue begs the question—won't malcontents pay for the service, too?

by ISP-Planet Staff [February 5, 2001]

The non-profit Internet Software Consortium, provider of the Berkeley Internet Name Domain (BIND) software, which is used by about 80 percent of the name servers on the Internet, last week revealed it will create an exchange to share information about security flaws in the software.

The decision to establish the exchange—which companies will pay a fee to join, though the fee will be waived for non-profits—follows in the wake of the announcement that four security flaws in certain versions of the BIND software had be unearthed.

The security discovery was made public by Computer Emergency Response Team (CERT). But CERT's security advisories are open to the general public, meaning businesses and individuals running name servers with unsecured BIND software get information about security flaws at the same time crackers do. This means malcontents programmers can often use the very exploits warned against by CERT to initiate Denial of Service (DoS) attacks.

Such was the case with the most recent warning. Network Associates Inc.'s COVERT Labs discovered three of the four flaws which CERT relayed to the public. Within two days, a cracker posted details of one of those exploits on SecurityFocus.com's Bugtraq mailing list. When list members downloaded the exploit, they also downloaded a Trojan which used one of the flaws to launch a DoS attack against Network Associates. While Network Associates quickly contained the attack, it demonstrates the speed with which crackers can utilize security advisories.

The ISC's information service—slated to begin later this month—is an attempt to work around that problem by giving legitimate businesses and individuals access to prerelease source code. Members will be required to register and use encrypted e-mail.

The solution does not sit well with some members of the security community, who said that BIND should remain open and that public discussion will make it more secure, not less.

Vulnerabilities in BIND 4 and 8
BIND 8 contains a buffer overflow that allows a remote attacker to execute arbitrary code. The overflow is in the initial processing of a DNS request and therefore does not require an attacker to control an authoritative DNS server. In addition, the vulnerability is not dependent upon configuration options and affects both recursive and non-recursive servers. This vulnerability has been designated as CVE candidate CAN-2001-10.

COVERT Labs considers the risk factors to be high because BIND 4 contains a buffer overflow that can allow a remote attacker to execute arbitrary code.

The groups considers BIND 4 format string vulnerabilities a medium risk factor because it allows a remote attacker to execute arbitrary code. This vulnerability also occurs when BIND reports an error while attempting to locate IP addresses for name servers, and thus has the same restrictions on exploitation as the buffer overflow.

This vulnerability was fixed several versions prior to the current version of BIND 4, but is still present in certain UNIX distributions.

Vulnerable systems include those operating BIND 8 versions:

• 8.2, 8.2.1
• 8.2.2 through to 8.2.2-P7
• 8.2.3-T1A through to 8.2.3-T9B

And BIND 4 versions:

• buffer overflow - 4.9.5 through to 4.9.7
• format string - 4.9.3 through to 4.9.5-P1

Vulnerability overview
While the two versions of BIND distributed by the ISC, BIND version 4 and BIND version 8, are vulnerable to the attacks described by COVERT Lab's advisory, the most recent release of BIND, version 9, is not susceptible to these attacks.

BIND version 8 contains a buffer overflow in the implementation of Transaction Signatures (TSIG) for DNS security as defined in RFC 2845. Because the overflow occurs within the initial processing of a DNS request, both recursive and non-recursive DNS servers are vulnerable, independent of the DNS security configuration. The mechanisms employed by the DNS server make it susceptible to two potential methods of attack.

An attacker can perform a stack based buffer overflow, with two important qualifications: first, that the number of bytes past the end of the buffer that the attacker can overwrite is limited in length, and second, that the values of those bytes are mostly fixed. On the x86 architecture, the attacker can manipulate a sufficient number of bytes such that they can modify the saved frame pointer. Overwriting the least significant byte of the saved frame pointer can result in the execution of arbitrary code in certain predictable installations of the name server.

An attacker can also perform a heap overflow, overwriting malloc's internal variables. This method is very effective, though it requires that an operating system's implementation of malloc stores internal data structures in the allocated memory. For this attack to be successful, TCP port 53 must be accessible.

BIND version 4 contains a buffer overflow in a section of code that formulates a warning message for a call to syslog. There are several conditions that can lead to the triggering of this overflow, all of which involve the resolution of NS records into IP addresses. This vulnerability is a standard stack overflow, but the information an attacker is able to present is limited to printable characters. This limitation makes susceptibility to exploitation contingent upon the layout of the named process within memory, and possibly upon the amount of memory available to be allocated by the name server.

In older versions of BIND 4, the previously mentioned call to syslog utilizes a user controllable string as the second argument, which creates an exploitable condition. The same restriction applies, in that the format string is limited to printable characters. Despite this restriction, a remote attacker is still able to create a malicious format string to exploit the vulnerable syslog function call.

Resolutions
ISC has produced patches to address these issues. Except as otherwise noted, BIND version 4.9.8 and 8.2.3 resolve the vulnerabilities described in the advisory, which are also available in updated versions of BIND now available for download.

In cooperation with COVERT Labs, the CERT Coordination Center will continue to update information about vulnerable distributions of BIND from third party vendors. The most current vendor information can be found under the CERT Advisory CA-2001-02 announcement labeled Multiple Vulnerabilities in BIND.

—End