http://www.isc.org/products/BIND/bind-security-19991108.html Name: "nxt bug" Versions affected: 8.2, 8.2 patchlevel 1, 8.2.1 Severity: CRITICAL Exploitable: Remotely Type: Access possible Description: A bug in the processing of NXT records can theoretically allow an attacker to gain access to the system running the DNS server at whatever privilege level the DNS server runs at. Workarounds: None. Active Exploits: At this time, ISC is unaware of any active exploits of this vulnerability however given the potential access this vulnerability represents, it is probable scripts will be created in the near future that make use of this vulnerability. Reply-To: Anonymous Comments: This message did not originate from the Sender address above. It was remailed automatically by anonymizing remailer software. Please report problems or inappropriate use to the remailer administrator at . X-To: BUGTRAQ@SECURITYFOCUS.COM To: BUGTRAQ@SECURITYFOCUS.COM Ooh, those pesky NXT records. Like I process those every day. Fascinating read in RFC 2535, but suppose I don't have any NXT records in my own zones, under what circumstances will my DNS server commit the sin of "the processing of NXT records"? In other words, are all of us vulnerable (even caching-only name servers if so, I imagine!), or only people with NXT records? This makes a big difference! Subject: Re: your mail X-To: BUGTRAQ@SECURITYFOCUS.COM To: BUGTRAQ@SECURITYFOCUS.COM On Thu, 11 Nov 1999, Anonymous wrote: > Ooh, those pesky NXT records. Like I process those every day. > Fascinating read in RFC 2535, but suppose I don't have any NXT > records in my own zones, under what circumstances will my DNS server > commit the sin of "the processing of NXT records"? In other words, > are all of us vulnerable (even caching-only name servers if so, I > imagine!), or only people with NXT records? This makes a big difference! Caching-only servers are also vulnerable. The NXT record is no different that any other DNS record in this case. If someone is able to make your server fetch a maliciously-constructed NXT record, it will cause problems. A query to a caching server will force the server to send a recursive query, which makes the caching server vulnerable. Brian Date: Fri, 12 Nov 1999 05:20:55 +0100 From: Alain Thivillon Subject: Re: your mail To: BUGTRAQ@SECURITYFOCUS.COM ---Executing: shownonascii This message contains non-ASCII text, but the iso-8859-1 font has apparently not yet been installed on this machine. (There is no directory named /usr/X11R6/lib/X11/fonts/misc.) What follows may be partially unreadable, but the English (ASCII) parts should still be readable. Anonymous écrivait (wrote) : > commit the sin of "the processing of NXT records"? In other words, > are all of us vulnerable (even caching-only name servers if so, I > imagine!), or only people with NXT records? This makes a big difference! [ NB : I can be wrong, don't flame me :) ] Examing diffs between 8.2.1 and 8.2.2PL3 show rewrite of code handling external response to an NXT query coming from bind himself (see bin/named/ns_resp.c). So i suppose, if your name server is public and recusive, external attacker can query your bind for NXT record in another zone. If he has control of name server of this zone, he can send offending responses and trigger bug. I suspect every public server with 8.2 <= bind < 8.2.3PL3 is vulnerable. Reply-To: "David R. Conrad" Sender: Bugtraq List Organization: Internet Software Consortium X-To: Anonymous X-cc: BUGTRAQ@SECURITYFOCUS.COM To: BUGTRAQ@SECURITYFOCUS.COM Hi, The problem is with the reception of NXT records, so it doesn't matter what you have in your own zone files. Any nameserver running versions 8.2, 8.2 patchlevel 1, or 8.2.1 can be susceptible to the attack (albeit there are some pre-conditions that must be met for the issue to even come up). We, of course, recommend upgrading. In addition, we recommend running your nameserver as non-root and chrooted (I know setting this up is non-trivial -- it'll be much, much easier in BINDv9). Rgds, -drc Anonymous wrote: > Ooh, those pesky NXT records. Like I process those every day. > Fascinating read in RFC 2535, but suppose I don't have any NXT > records in my own zones, under what circumstances will my DNS server > commit the sin of "the processing of NXT records"? In other words, > are all of us vulnerable (even caching-only name servers if so, I > imagine!), or only people with NXT records? This makes a big difference!