[Snort-sigs] SID 261
joey at ...80...
Thu Feb 28 20:52:02 EST 2002
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT
named";flags: A+; content:"|CD80 E8D7 FFFF FF|/bin/sh";
classtype:attempted-admin; sid:261; rev:1;)
An attacker can gain root access through a buffer overflow vulnerability
in vulnerable versions of named on Linux, FreeBSD, and possibly other
unix variants running named.
If successful, the attacker will have root access to the system and can
potentially modify DNS settings.
This remote exploit overflows a bcopy()/memcpy() buffer in named and
return a root shell. Vulnerable versions of named include, but are not
An attacker may scan for open TCP port 53 (DNS), then execute a DNS
version query (see sid 257) before running the exploit. If successful,
the attacker will have full access to the machine.
Ease of Attack:
Simple, given an exploit is obtainable and a targeted host is vulnerable
(i.e., running an older version of named).
Apply proper methods, as stated by your organization's security policy,
to ensure the system is not compromised. Upgrade to the latest stable
version of BIND.
Joe McAlerney - joey at ...80...
CERT Advisory CA-1998-05
More information about the Snort-sigs