[Snort-sigs] SID 261

Joe McAlerney joey at ...80...
Thu Feb 28 20:52:02 EST 2002


alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT
named";flags: A+; content:"|CD80 E8D7 FFFF FF|/bin/sh";
classtype:attempted-admin; sid:261; rev:1;) 



An attacker can gain root access through a buffer overflow vulnerability
in vulnerable versions of named on Linux, FreeBSD, and possibly other
unix variants running named.


If successful, the attacker will have root access to the system and can
potentially modify DNS settings.

Detailed Information:

This remote exploit overflows a bcopy()/memcpy() buffer in named and
return a root shell.  Vulnerable versions of named include, but are not
limited to:

+ 4.9.5-REL
+ 4.9.5-P1
+ 4.9.6-REL
+ 8.1-REL
+ 8.1.1

Attack Scenarios:

An attacker may scan for open TCP port 53 (DNS), then execute a DNS
version query (see sid 257) before running the exploit.  If successful,
the attacker will have full access to the machine.

Ease of Attack:

Simple, given an exploit is obtainable and a targeted host is vulnerable
(i.e., running an older version of named).

False Positives:

None reported.

False Negatives:


Corrective Action:

Apply proper methods, as stated by your organization's security policy,
to ensure the system is not compromised.  Upgrade to the latest stable
version of BIND.


Joe McAlerney - joey at ...80...

Additional References:

CERT Advisory CA-1998-05

More information about the Snort-sigs mailing list