Vulnerability Note VU#196945

ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code

Original Release date: 29 Jan 2001 | Last revised: 01 May 2002

Overview

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) by the Internet Software Consortium (ISC). There is a buffer overflow vulnerability in BIND 8.2.x, which may allow remote intruders to gain access to systems running BIND. DNS servers running BIND 8 are responsible for the majority of name resolution services on the Internet.

This vulnerability has been successfully exploited in a laboratory environment and presents a serious threat to the Internet infrastructure.

Description

During the processing of transaction signatures, BIND performs a test for signatures that fail to include a valid key. If a transaction signature is found in the request, but a valid key is not included, BIND skips normal processing of the request and jumps directly to code designed to send an error response. Because this code fails to initialize variables in the same manner as the normal processing, later function calls make invalid assumptions about the size of the request buffer. In particular, the code to add a new (valid) signature to the response may overflow the request buffer and overwrite adjacent memory on the stack or heap. Overwriting this memory can allow an intruder (in conjunction with other buffer overflow exploit techniques) to gain unauthorized access to the vulnerable system.

The flawed program logic is distributed over several function calls within the BIND software. When the attacker sends a UDP request, the packet will be loaded into a buffer on the stack (u.buf) by the function datagram_read(). On the other hand, TCP requests are loaded into a buffer (sp->s_buf) on the heap by the function stream_getmsg(). Regardless of the protocol, each of these functions call dispatch_message(), which in turn calls ns_req().

The ns_req() function handles the request. A call to ns_find_tsig() determines if a transaction signature exists in the request, and find_key() is called thereafter to determine if a valid key has been included. In the case where a transaction signature is found but the key is NULL, msglen is computed to include only the portion of the request before the signature. This is where the problem occurs, because the variables buflen and msglen are assumed through most of the code to add up to the total size of the buffer allocated for holding the request.

BIND uses the same buffer for storing the request and generating the response. Specifically, the response is composed by appending an error code and a transaction signature to the existing request. Since the new transaction signature is supposed to overwrite the signature of the request, msglen was modified to reflect the request length minus the signature length. However, buflen was not modified to reflect the new value of msglen, causing subsequent function calls (specifically ns_sign) to cause BIND to overwrite memory adjacent to the packet buffer.

These overwrites may allow an intruder to create conditions required for the execution of arbitrary code. Because the overflows occur on the stack for UDP requests and on the heap for TCP requests, the specific details of the exploit begin to differ at this point. Both scenarios result in the same impact -- the attacker can execute arbitrary code on the vulnerable system.

For more information on transaction signatures, please visit:

Impact

This vulnerability may allow an attacker to execute privileged commands or code with the same permissions as the BIND server. Because BIND is typically run by a superuser account, the execution would occur with superuser privileges.

Solution

The ISC has released BIND version 8.2.3 to address this security issue as well as others. The CERT/CC strongly recommends that all users of BIND 8.2.x upgrade to 8.2.3 immediately. The ISC recommends that users affected by this vulnerability upgrade to either BIND 8.2.3 or BIND 9.1.

The BIND 8.2.3 distribution can be downloaded from:


The BIND 9.1 distribution can be downloaded from:

Please note that upgrading to BIND 8.2.3 also addresses the information leakage vulnerability discussed in VU#325431.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
CalderaAffected18 Jan 200129 Jan 2001
Compaq Computer CorporationAffected18 Jan 200104 Apr 2001
ConectivaAffected29 Jan 200104 Apr 2001
DebianAffected18 Jan 200105 Apr 2001
FreeBSDAffected18 Jan 200111 May 2001
IBMAffected18 Jan 200105 Apr 2001
ImmunixAffected31 Jan 200105 Apr 2001
ISCAffected05 Jan 200104 Apr 2001
MandrakeSoftAffected03 Feb 200104 Apr 2001
NetBSDAffected18 Jan 200105 Apr 2001
RedHatAffected18 Jan 200104 Apr 2001
SCOAffected18 Jan 200101 May 2002
SlackwareAffected03 Feb 200105 Apr 2001
SunAffected18 Jan 200107 Aug 2001
SuSEAffected03 Feb 200105 Apr 2001
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT/CC thanks the COVERT Labs at PGP Security for discovering and analyzing this vulnerability and the Internet Software Consortium for providing a patch to fix it.

This document was written by Cory F Cohen.

Other Information

  • CVE IDs: CAN-2001-0010
  • CERT Advisory: CA-2001-02
  • Date Public: 29 Jan 2001
  • Date First Published: 29 Jan 2001
  • Date Last Updated: 01 May 2002
  • Severity Metric: 50.87
  • Document Revision: 59

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.