[Snort-users] Signature for this?

John Sage jsage at ...2022...
Sat Sep 7 23:01:04 EDT 2002


On Sat, Sep 07, 2002 at 08:12:11PM -0500, Frank Knobbe wrote:
> Guys, 
> 
> is anyone aware of a snort sig for this one? 
> 
> http://www.theregister.co.uk/content/55/26967.html

An authoritative source is found at:

http://www.cert.org/advisories/CA-2002-19.html

"CERT Advisory CA-2002-19 Buffer Overflows in Multiple DNS Resolver
Libraries"


The multiple conditions described may be beyond detection by a snort
rule.

1) "Buffer overflow vulnerabilities exist in multiple implementations
of DNS resolver libraries."

So the attack itself is based on a buffer overflow. There is not
necessarily any known exploit, or known shell code.

2) "Two sets of responses could trigger buffer overflows in vulnerable
DNS resolver libraries:  responses for host names or addresses,
and responses for network names or addresses."

So the vulnerable transaction is either a host response, or a network
response.

3) "An attacker who is able to control DNS responses could exploit
arbitrary code or cause a denial of service on vulnerable systems.
The attacker would need to be able to spoof DNS responses or control a
DNS server that provides responses to a vulnerable system."

The attacker must either commandeer a legitimate DNS server, or spoof
responses so that they appear to come from a legitimate DNS server.

4) "By issuing queries to and interpreting responses from DNS
servers, IP-enabled network operating systems can access DNS
information.  When an IP network application needs to access or
process DNS information, it calls functions in the stub resolver
library, which may be part of the underlying network operating
system."

The issue affects not only local nameservers, but applications that
call resolver functions (sendmail would be one example, methinks..)


So this is a pretty complex situation.

What to do?

Patch, and recompile applications as needed...



- John
-- 
"In those days, you could not buy a $2000 200MHz Pentium server."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the Snort-users mailing list