2010-09-14 - the slides from my recent (re-)presentation (with lots of extra bits) at SEC-T 2010, will soon be online! exploit code [...]
2009-12-18 - The slides from my recent presentation at CRESTCon 2009, the 'replacement' for CHECKCon, are now online! exploit code for the demonstrations [...]
:.home.other stuff.bind9all sweetness and light?
The history of ISC's ubiquitous DNS implementation, bind (named), has a somewhat chequered past. A true story of love and hate between security researchers and a seemingly never-ending supply of remotely exploitable vulnerabilities in what is still today the most wide-spread (, ) implementation of the DNS protocol (and perhaps the most complete). It has quite often been asserted that ISC have finally created, in bind9, a reliable and completely secure implementation of the DNS protocol; and with the announcement that support for bind8 is to be officially withdrawn, have finally (and irreconcilably) embraced security!
Since bind9 itself has been publically available for over 7 years now, and given the rate at which it has been deployed, I can only assume that many man-hours of effort have been expended in an attempt to audit the bind9 source code. However, since the bugs located during my short journey through the source have never been disclosed, nor patched in the latest versions (not even for stability purposes); I have decided to share with you a couple of patches. (you might ask why do this? mostly out of curiosity, that is, I'm curious to know how long it takes ISC to patch these bugs in bind9 after this page is made public! and who will be credited with there discovery..)
Patch name.c-diff fixes an off-by-one since the call to sprintf will write 4 bytes and not 3.
Patch dst_api.c-diff fixes a bug whereby a single byte is added to the buffer "out" without first verifying it has enough space. (a complete smash can now proceed since the isc_buffer macros will cause an integer underflow whenever the length remaining is calculated!)
Note: The information to be found here is not a revelation, nor should it be seen as an admission that I possess a 0day, or that I even know that any such 0day exists! However, if you must go away with something, let it be the knowledge that bind9 is not bullet-proof, and if ISC can once again make such simple errors, maybe there's some more waiting to be found... ;)