Vulnerability Note VU#844360

Domain Name System (DNS) stub resolver libraries vulnerable to buffer overflows via network name or address lookups

Original Release date: 13 Nov 2002 | Last revised: 24 Apr 2003

Overview

The DNS stub resolver library in ISC BIND 4.9.2 through 4.9.10 contains buffer overflows in code that handles responses for network name and address requests. Other resolver libraries derived from BIND 4 such as BSD libc, GNU glibc, and those used by System V UNIX systems may also be affected. An attacker could execute arbitrary code with the privileges of the application that made the request or cause a denial of service.

Description

A DNS stub resolver library provides an interface for network applications to make requests and receive responses from the domain name system. The BIND 4 resolver library (libresolv.a) contains several buffer overflows in the functions that handle responses for network name and address requests (getnetbyname(), getnetbyaddr()). While reading the answer portion of a DNS response, the functions copy data received from the network into inadequately sized buffers. A specially crafted DNS response could overflow the buffers, possibly injecting arbitrary code onto the stack.

ISC BIND 4.9.2 through 4.9.10 are vulnerable. DNS stub resolver libraries that are derived from BIND 4 may vulnerable, including BSD libc, GNU glibc, and resolvers used by System V UNIX systems. In addition, some network applications provide their own resolver functions which may use vulnerable code from BIND 4.

The buffer overflows described in this document are different than the network lookup vulnerability described in CA-2002-19/VU#542971/CAN-2002-0684.

When performing a DNS lookup, applications issue calls to resolver functions, at which point most applications dynamically load the relevant portion of the resolver library. Other applications are statically linked at compile time to include resolver functions. In order to use updated resolver code, dynamically linked process must be restarted, and statically linked binaries must be recompiled.

Impact

An attacker could execute arbitrary code with the privileges of the application that made the request or cause a denial of service. The attacker would need to control DNS responses, possibly by spoofing responses or gaining control of a DNS server.

Solution


Patch or Upgrade

Upgrade or apply a patch as specified by your vendor. Dynamically linked processes must be restarted and statically linked binaries must be recompiled and in order to use the fixed resolver libraries.


Local Caching DNS Server Not Effective

A local caching DNS server will not prevent malicious responses from reaching vulnerable stub resolvers.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Affected12 Nov 200225 Feb 2003
GNU glibcAffected12 Nov 200216 Jan 2003
Hewlett-Packard CompanyAffected12 Nov 200215 Apr 2003
IBMAffected12 Nov 200227 Feb 2003
ISCAffected22 Oct 200213 Nov 2002
MetaSolv Software Inc.Affected12 Nov 200215 Nov 2002
NetBSDAffected12 Nov 200225 Feb 2003
Openwall GNU/*/LinuxAffected12 Nov 200214 Nov 2002
SGIAffected12 Nov 200205 Dec 2002
Sun Microsystems Inc.Affected12 Nov 200215 Nov 2002
The SCO GroupAffected12 Nov 200227 Feb 2003
Xerox CorporationAffected12 Nov 200224 Apr 2003
FreeBSDNot Affected12 Nov 200214 Nov 2002
NcFTP SoftwareNot Affected-05 Dec 2002
OpenBSDNot Affected12 Nov 200214 Nov 2002
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by CERT/CC staff.

This document was written by Art Manion.

Other Information

  • CVE IDs: CAN-2002-0029
  • CERT Advisory: CA-2002-31
  • Date Public: 12 Nov 2002
  • Date First Published: 13 Nov 2002
  • Date Last Updated: 24 Apr 2003
  • Severity Metric: 8.91
  • Document Revision: 22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.