Vulnerability Note VU#13145

BIND memcpy not bounded in case T_SIG of rrextract()

Original Release date: 14 Nov 2001 | Last revised: 14 Nov 2001

Overview

Version 8.2.2 of BIND (current circa November 1999) contained a buffer overflow in the routine that converts records from network format to database format.

Description

Version 8.2.2 of BIND includes some checks for the correct format of a signature record in DNSSEC that previous versions did not. Specifically, in the file ns_resp.c, there is a routine called 'rrextract'. (rr = "resource record"). rrextract contains a large switch block that converts resource records from the network format to the database format, doing different things depending on the type of record received. For case T_SIG, it decodes the signature records. When it gets to the name of the signing domain, there is the following block of code:

/* then the signer's name */
n = dn_expand(msg, eom, cp, (char *)cp1, (sizeof data) - 18);
if (n < 0 || n + NS_SIG_SIGNER > dlen) {
hp->rcode = FORMERR;
return (-1);
}

Slightly later, there is code that reads:

n = dlen - (NS_SIG_SIGNER + n);

and then...

memcpy(cp1, cp, n);

If an intruder can cause n to be large, the third argument to the memcpy will be negative. The third argument is an unsigned int, so it will be interpreted as a large positive. Thus you can indeed overflow a buffer, but it is a very, very large (~4GB on a 32-bit machine); it may not be possible to use this overflow to execute code.

dn_expand is a routine that actually converts the resource record from the wire format to the database format. It returns -1 if there is an error in decoding the resource record.

NS_SIG_SIGNER is defined in nameser.h as follows:

/* Offsets into SIG record rdata to find various values */

#define NS_SIG_SIGNER 18 /* Domain name of who signed it */

Previous versions of bind do not include the checks related to NS_SIG_SIGNER, only a check for a negative value returned from dn_expand (an error). Without this check it appear that if a nameserver returns a malformed value, that bind will crash

Impact

Intruders may be able to interrupt the normal operations of your nameserver.

Solution

Upgrade to BIND 8.2.2 patch level 5 or later.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
SCOAffected-05 Sep 2000
FujitsuNot Affected-09 Nov 1999
SunNot Affected-09 Nov 1999
Compaq Computer CorporationUnknown-05 Nov 1999
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to ISC for reporting this problem.

This document was written by Shawn V Hernan.

Other Information

  • CVE IDs: CVE-1999-0835
  • CERT Advisory: CA-1999-14
  • Date Public: 10 Nov 99
  • Date First Published: 14 Nov 2001
  • Date Last Updated: 14 Nov 2001
  • Severity Metric: 8.86
  • Document Revision: 5

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.