[Snort-sigs] SID 261

Joe McAlerney joey at ...80...
Thu Feb 28 20:52:02 EST 2002


Rule:  

alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT
named";flags: A+; content:"|CD80 E8D7 FFFF FF|/bin/sh";
reference:url,www.cert.org/advisories/CA-1998-05.html;
classtype:attempted-admin; sid:261; rev:1;) 

--
Sid:
261

--
Summary:

An attacker can gain root access through a buffer overflow vulnerability
in vulnerable versions of named on Linux, FreeBSD, and possibly other
unix variants running named.

--
Impact:

If successful, the attacker will have root access to the system and can
potentially modify DNS settings.

--
Detailed Information:

This remote exploit overflows a bcopy()/memcpy() buffer in named and
return a root shell.  Vulnerable versions of named include, but are not
limited to:

+ 4.9.5-REL
+ 4.9.5-P1
+ 4.9.6-REL
+ 8.1-REL
+ 8.1.1

--
Attack Scenarios:

An attacker may scan for open TCP port 53 (DNS), then execute a DNS
version query (see sid 257) before running the exploit.  If successful,
the attacker will have full access to the machine.

--
Ease of Attack:

Simple, given an exploit is obtainable and a targeted host is vulnerable
(i.e., running an older version of named).

--
False Positives:

None reported.

--
False Negatives:

None.

--
Corrective Action:

Apply proper methods, as stated by your organization's security policy,
to ensure the system is not compromised.  Upgrade to the latest stable
version of BIND.

--
Contributors:

Joe McAlerney - joey at ...80...

-- 
Additional References:

CERT Advisory CA-1998-05
http://www.cert.org/advisories/CA-1998-05.html




More information about the Snort-sigs mailing list