search menu icon-carat-right cmu-wordmark

CERT Coordination Center

BIND memcpy not bounded in case T_SIG of rrextract()

Vulnerability Note VU#13145

Original Release Date: 2001-11-15 | Last Revised: 2001-11-15

Overview

Version 8.2.2 of BIND (current circa November 1999) contained a buffer overflow in the routine that converts records from network format to database format.

Description

Version 8.2.2 of BIND includes some checks for the correct format of a signature record in DNSSEC that previous versions did not. Specifically, in the file ns_resp.c, there is a routine called 'rrextract'. (rr = "resource record"). rrextract contains a large switch block that converts resource records from the network format to the database format, doing different things depending on the type of record received. For case T_SIG, it decodes the signature records. When it gets to the name of the signing domain, there is the following block of code:

/* then the signer's name */
n = dn_expand(msg, eom, cp, (char *)cp1, (sizeof data) - 18);
if (n < 0 || n + NS_SIG_SIGNER > dlen) {
hp->rcode = FORMERR;
return (-1);
}

Slightly later, there is code that reads:

n = dlen - (NS_SIG_SIGNER + n);

and then...

memcpy(cp1, cp, n);

If an intruder can cause n to be large, the third argument to the memcpy will be negative. The third argument is an unsigned int, so it will be interpreted as a large positive. Thus you can indeed overflow a buffer, but it is a very, very large (~4GB on a 32-bit machine); it may not be possible to use this overflow to execute code.

dn_expand is a routine that actually converts the resource record from the wire format to the database format. It returns -1 if there is an error in decoding the resource record.

NS_SIG_SIGNER is defined in nameser.h as follows:

/* Offsets into SIG record rdata to find various values */

#define NS_SIG_SIGNER 18 /* Domain name of who signed it */

Previous versions of bind do not include the checks related to NS_SIG_SIGNER, only a check for a negative value returned from dn_expand (an error). Without this check it appear that if a nameserver returns a malformed value, that bind will crash

Impact

Intruders may be able to interrupt the normal operations of your nameserver.

Solution

Upgrade to BIND 8.2.2 patch level 5 or later.

Vendor Information

13145
 
Affected   Unknown   Unaffected

SCO

Updated:  September 05, 2000

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Updated:  November 09, 1999

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun

Updated:  November 09, 1999

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Compaq Computer Corporation

Updated:  November 05, 1999

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to ISC for reporting this problem.

This document was written by Shawn V Hernan.

Other Information

CVE IDs: CVE-1999-0835
CERT Advisory: CA-1999-14
Severity Metric: 8.86
Date Public: 1999-11-10
Date First Published: 2001-11-15
Date Last Updated: 2001-11-15 04:08 UTC
Document Revision: 5

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.