> > * Badguy controlling external DNS server puts in huge A record for common
> > destination in an attempt to generate buffer overflow exploit on remote
> hosts
>
> Hmmm, could you refresh my memory on thisone ? I can't recall the
> nature of this exploit. Perhaps I can make some intelligent comment
> and not look like a putz.
Buffer overflow in hostname->IP resolution: returning an IP address with more
than 4 bytes (actually a bit more in most implementations) can overwrite the
in_addr buffer used to store the result. The same kind of overflow can occur
in IP->hostname resolution: the target has a buffer of MAXHOSTNAMELEN (64)
bytes to store the result of the PTR query, and the DNS server returns enough
data to overflow this buffer. For example, Solaris resolver libraries were
vulnerable to that kind of attacks until some mid-98 patch (followed by a
security advisory several month later). Remember the ping local exploit ? Same
thing, but remote.
Shellcode for the latter is tougher to develop, since most DNS resolvers check
host names character set (while an IP address can contain any byte code), but
at least whith Sparc, it's feasible with some boolean arithmetic ;-)
AFAIK, as I said in my previous message, bind 8.1.2 (and 4.9.7) close both
holes when used for proxying DNS requests.
Cheers,
-JCT-
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
