SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information

Report a Vulnerability

 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#13145

BIND memcpy not bounded in case T_SIG of rrextract()

Overview

Version 8.2.2 of BIND (current circa November 1999) contained a buffer overflow in the routine that converts records from network format to database format.

I. Description

Version 8.2.2 of BIND includes some checks for the correct format of a signature record in DNSSEC that previous versions did not. Specifically, in the file ns_resp.c, there is a routine called 'rrextract'. (rr = "resource record"). rrextract contains a large switch block that converts resource records from the network format to the database format, doing different things depending on the type of record received. For case T_SIG, it decodes the signature records. When it gets to the name of the signing domain, there is the following block of code:

/* then the signer's name */
n = dn_expand(msg, eom, cp, (char *)cp1, (sizeof data) - 18);
if (n < 0 || n + NS_SIG_SIGNER > dlen) {
hp->rcode = FORMERR;
return (-1);
}

Slightly later, there is code that reads:

n = dlen - (NS_SIG_SIGNER + n);

and then...

memcpy(cp1, cp, n);

If an intruder can cause n to be large, the third argument to the memcpy will be negative. The third argument is an unsigned int, so it will be interpreted as a large positive. Thus you can indeed overflow a buffer, but it is a very, very large (~4GB on a 32-bit machine); it may not be possible to use this overflow to execute code.

dn_expand is a routine that actually converts the resource record from the wire format to the database format. It returns -1 if there is an error in decoding the resource record.

NS_SIG_SIGNER is defined in nameser.h as follows:

/* Offsets into SIG record rdata to find various values */

#define NS_SIG_SIGNER 18 /* Domain name of who signed it */

Previous versions of bind do not include the checks related to NS_SIG_SIGNER, only a check for a negative value returned from dn_expand (an error). Without this check it appear that if a nameserver returns a malformed value, that bind will crash

II. Impact

Intruders may be able to interrupt the normal operations of your nameserver.

III. Solution

Upgrade to BIND 8.2.2 patch level 5 or later.

Systems Affected
VendorStatusDate NotifiedDate Updated
Compaq Computer CorporationUnknown5-Nov-1999
FujitsuNot Vulnerable9-Nov-1999
SCOVulnerable5-Sep-2000
SunNot Vulnerable9-Nov-1999

References

http://www.isc.org/products/BIND/bind-security-19991108.html
Redhat Security Advisory RHSA-1999:054-01
http://www.debian.org/security/1999/19991116

Credit

Thanks to ISC for reporting this problem.

This document was written by Shawn V Hernan.

Other Information

Date Public:99-11-10
Date First Published:2001-11-14
Date Last Updated:2001-11-14
CERT Advisory:CA-1999-14
CVE-ID(s):CVE-1999-0835
NVD-ID(s):CVE-1999-0835
US-CERT Technical Alerts: 
Severity Metric:8.86
Document Revision:5

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2001 Carnegie Mellon University
Disclaimers and copyright information
Get a PDF Reader