On Thu, 11 Nov 1999, Anonymous wrote:
> Ooh, those pesky NXT records. Like I process those every day.
> Fascinating read in RFC 2535, but suppose I don't have any NXT
> records in my own zones, under what circumstances will my DNS server
> commit the sin of "the processing of NXT records"? In other words,
> are all of us vulnerable (even caching-only name servers if so, I
> imagine!), or only people with NXT records? This makes a big difference!
I won't go into exact details of exploiting the vuln. because it gets
kinda hairy, but it's a real threat.
I can get EIP on multiple versions of BIND. tested so far:
812-t3b, 812-t4b, 812, and 821
exploit has failed on a particular 812 binary i have, but a recent 812
binary (both of these bins compiled from source retrieved from isc.org)
was exploitable. go figure. i also have an 812-t3b binary which the
exploit does not work on. so far, i can't find a pattern as to which
versions of bind actually process NXT RR's. as i said, i had two binaries
of 812 release--one processed NXT RR's and the other didn't.
the overflow takes place processing *ANY* answer from another nameserver.
all the answer needs to contain is a properly formatted NXT record. it
doesn't matter whether it answers the question, but the answer name must
match the queried name.
nimrood
