|
DNS NXT record overflow |
|
|
|
| FAQ | |||
|
|
SummaryThis is an attempt to exploit the NXT record vulnerability that afflicts many DNS servers. If successful, this gives the attack complete control over the machine.
Details
This attack has become a wide spread plague during the first part of the year 2000. The popularity is due to the fact that the most popular Linux package (RedHat 6.1) is vulnerable to this exploit. BIND versions 8.2 and 8.2.1 are the only ones susceptible to this exploit.
Exploit Details
The way the exploit works is that the hacker sends a DNS query to the victim's DNS server. In order to satisfy the query, the victim connects back to the hacker's DNS server. This DNS server has been specially constructed to reply with a NXT record roughly 6500 characters long. This overflows the victim's DNS server, breaking into it.
The most common exploit for this vulnerability is from ADM. The scripts adm-nxt.c and t666.c are floating around that exploit this hole.
Colloquially, this is known as the ADMROCKS bug, because these scripts create a subdirectory called ADMROCKS. This directory will be placed in the default location where BIND (named) is running. On a default RedHat 6.1 installation, this will be located in /var/named. A directory listing will look something like:
total 10 drwxr-xr-x 3 root root 1024 Apr 1 11:26 . drwxr-xr-x 23 root root 1024 Jan 17 01:55 .. drwxr-xr-x 2 root root 1024 Apr 1 11:26 ADMROCKS -rw-r--r-- 1 root root 2769 May 12 1999 named.ca -rw-r--r-- 1 root root 422 May 12 1999 named.local -rw-r--r-- 1 root root 2075 Apr 1 11:13 named_dump.dbSystems vulnerable
All versions of BIND 8.2 through 8.2.3PL2 are vulnerable. Some popular packages that include vulnerable versions are:
- RedHat 6.0, 6.1
- FreeBSD 3.2
- OpenBSD 2.6
- NetBSD 1.4.1
| more information |
|
| ||||
Version appeared: 2.0