Antwort: Re: [Snort-users] New BIND exploit...
vision at ...4...
Tue Jan 30 09:07:35 EST 2001
On Tue, 30 Jan 2001 holger.bumke at ...1216... wrote:
> As a quick workaround any user of BIND 8 can hide the version-number
> of his named in the named.conf by adding
> version "Skript-Kiddies: go away!";
Be careful of security through obscurity though! Not only will attackers
sometimes attack anyway, but there is another way to check if a BIND is
version 9 or not ("not" usually being equal to "vulnerable").
I wrote this note to Bugtraq yesterday about this but it doesn't seem to
have been posted yet:
Subject: fingerprinting BIND 9.1.0
The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded
chaos record called "authors". So now even if an admin changes or
suppresses their version reply string, a remote user can still determine
whether the server is running BIND 9.x. With the recent discovery of the
tsig bug in BIND there will probably be a huge rise in version queries.
Some attackers may remove ambiguity by skipping servers that reply to
authors.bind (inferring that it's bind 9.1.0 and not vulnerable).
% dig @ns.example.com authors.bind chaos txt
% nslookup -q=txt -class=CHAOS authors.bind. ns.example.com
authors.bind text = "Bob Halley"
authors.bind text = "Mark Andrews"
authors.bind text = "James Brister"
authors.bind text = "Michael Graff"
authors.bind text = "David Lawrence"
authors.bind text = "Michael Sawyer"
authors.bind text = "Brian Wellington"
authors.bind text = "Andreas Gustafsson"
The following Snort signature will detect these probes:
alert UDP $EXTERNAL any -> $INTERNAL 53 (msg:
"IDS480/named-probe-authors"; content: "|07|authors|04|bind"; depth: 32;
offset: 12; nocase;)
More information about the Snort-users