[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : BIND buffer overflow

Title: BIND buffer overflow
Released by: Caldera
Date: 31st January 2001
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



______________________________________________________________________________

   Caldera Systems, Inc.  Security Advisory



Subject: BIND buffer overflow

Advisory number: CSSA-2001-008.1

Issue date: 2001 January, 29

Last change: 2001 January, 31

Cross reference:

______________________________________________________________________________





1. Problem Description



   Several security problems have been discovered in the most recent

   versions of BINDv8 (8.2.2p7). One of them is a buffer overflow that

   can potentially exploited to execute arbitrary code with the privilege

   of the bind user.



   If you do not run the BIND named server, you are not affected

   by this problem.



2. Vulnerable Versions



   System                       Package

   -----------------------------------------------------------

   OpenLinux 2.3 All packages previous to

   bind-8.2.3



   OpenLinux eServer 2.3.1      All packages previous to

   and OpenLinux eBuilder  bind-8.2.3



   OpenLinux eDesktop 2.4       All packages previous to

   bind-8.2.3



3. Solution



   Workaround



     none



   The proper solution is to upgrade to the latest packages.



   As a matter of caution, we also suggest that you run the name

   server process under a non-root user ID. In case of future

   security holes in bind, this makes sure that remote attackers

   do not immediately obtain root access.



   Be warned however that when running the name server process

   under a non-root uid it loses the ability to automatically

   re-bind itself when you change the address of a network

   interface, or create a new one. If you do that, you need

   to manually restart named in this case.



   On eDesktop 2.4, named already runs under the "bind" account by

   default; this is not the case on OpenLinux 2.3 and eServer 2.3.1,

   however.



   Here's what to do:



   a. Create a new user and group named `bind'.

Pick an unused user and group ID (on a normal OpenLinux

installation, uid and gid 19 should be available).

Run the following commands as super user, replacing

 and  by the user and group IDs you selected:



# groupadd -g  bind

# useradd -u  -g  -d / -s /bin/false bind



   b. Change the ownership of /var/named to bind.bind:



# chown -R bind.bind /var/named



   c. Edit /etc/sysconfig/daemons/named. Replace the line



OPTIONS=""



with



OPTIONS="-u bind"



This makes sure that the name server process relinquishes

root privilege after initialization.



   d. Stop and restart your name server:



# /etc/rc.d/init.d/named stop

# /etc/rc.d/init.d/named start



   Note that simply issuing /etc/rc.d/init.d/named restart

will not be enough!



4. OpenLinux 2.3



   4.1 Location of Fixed Packages



       The upgrade packages can be found on Caldera's FTP site at:

        

       http://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/



       The corresponding source code package can be found at:



       http://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS



   4.2 Verification



   01f9c6b514ab5aa70c3fe200c0c97243  RPMS/bind-8.2.3-1.i386.rpm

   89ed56545ee05e8adf81775b2754afd0  RPMS/bind-doc-8.2.3-1.i386.rpm

   41b9707056286325f4da4f45c0547b27  RPMS/bind-utils-8.2.3-1.i386.rpm

   9ae6f304f9dd7a63aa291ed143fa4035  SRPMS/bind-8.2.3-1.src.rpm



   4.3 Installing Fixed Packages



       Upgrade the affected packages with the following commands:



          rpm -Fhv bind-*i386.rpm

  /etc/rc.d/init.d/named stop

  /etc/rc.d/init.d/named start



5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0



   5.1 Location of Fixed Packages



       The upgrade packages can be found on Caldera's FTP site at:



       http://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/



       The corresponding source code package can be found at:



       http://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS



   5.2 Verification



   acd707632ae0e33432b5d37862265517  RPMS/bind-8.2.3-1.i386.rpm

   679d55e150b0bc8de0828db076e8594b  RPMS/bind-doc-8.2.3-1.i386.rpm

   a2b1b9764e884f4b1ed2b77e222a6755  RPMS/bind-utils-8.2.3-1.i386.rpm

   9ae6f304f9dd7a63aa291ed143fa4035  SRPMS/bind-8.2.3-1.src.rpm



   5.3 Installing Fixed Packages



       Upgrade the affected packages with the following commands:



          rpm -Fvh bind-*i386.rpm

  /etc/rc.d/init.d/named stop

  /etc/rc.d/init.d/named start



6. OpenLinux eDesktop 2.4



   6.1 Location of Fixed Packages



       The upgrade packages can be found on Caldera's FTP site at:



       http://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/



       The corresponding source code package can be found at:



       http://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS



   6.2 Verification



   f454346c9bf531d6e9aa014d2be93e99  RPMS/bind-8.2.3-1.i386.rpm

   33a4e0f2ff622ea60e920c189b48af00  RPMS/bind-doc-8.2.3-1.i386.rpm

   a786125567471a7bd42544e104977d15  RPMS/bind-utils-8.2.3-1.i386.rpm

   9ae6f304f9dd7a63aa291ed143fa4035  SRPMS/bind-8.2.3-1.src.rpm



   6.3 Installing Fixed Packages



       Upgrade the affected packages with the following commands:



          rpm -Fvh bind-*i386.rpm

  /etc/rc.d/init.d/named stop

  /etc/rc.d/init.d/named start



7. References



   This and other Caldera security resources are located at:



   http://www.calderasystems.com/support/security/index.html



   Additional information on this bug can be found at



   http://www.cert.org/advisories/CA-2001-02.html



   This security fix closes Caldera's internal Problem Report 8942.



8. Disclaimer



   Caldera Systems, Inc. is not responsible for the misuse of any of the

   information we provide on this website and/or through our security

   advisories. Our advisories are a service to our customers intended to

   promote secure installation and use of Caldera OpenLinux.



______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.0.1 (GNU/Linux)

Comment: For info see http://www.gnupg.org



iD8DBQE6d+3l18sy83A/qfwRAjDSAJ9t7R8OiGb95t+DEsHUAW628jt7SgCeK1uB

5bK+TyAtICtvl/D84AnCz40=

=RkYp

-----END PGP SIGNATURE-----



From owner-bugtraq@SECURITYFOCUS.COM  Wed Jan 31 13:03:48 2001






(C) 1999-2000 All rights reserved.