DNS hostname exceeding maximum length (DNS_Hostname_Overflow)

About this signature or vulnerability

Proventia Network IPS, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, IBM Security Host Protection for Servers (Unix), IBM Security Host Protection for Desktops, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature detects a domain that has exceeded the RFC defined maximum.

This signature detects a Windows event log message indicating that a domain name exceeding the maximum name length has been detected by the Microsoft DNS Server.

This signature was replaced by DNS_Hostname_Overflow_Verylong.


False positives

RealSecure Server Sensor: Queries requesting non-RFC compliant hostnames will appear to be this attack.

Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Network IPS: 2.0, Proventia Network IDS: A Series, Proventia-G 1.1 and earlier: G Series, Proventia Network MFS: 1.0, IBM Security Host Protection for Servers (Windows): 2.1.14.2400, IBM Security Host Protection for Servers (Windows): 1.0.914.0, RealSecure Server Sensor: 7.0, RealSecure Server Sensor: 5.5, IBM Security Host Protection for Servers (Unix): 2.2.2, IBM Security Host Protection for Desktops: 8.0.614.1, Proventia Server IPS for Linux technology: 1.0, Virtual Server Protection for Vmware: 1.0

Systems affected

Various vendors Any application, DNS DNS, Microsoft Windows NT: 4.0, Microsoft Windows 2000, ISC BIND: 4.9.5, ISC BIND: 4.9.5 P1, ISC BIND: 4.9.6, ISC BIND: 4.9.7, ISC BIND: 4.9.2, ISC BIND: 4.9.3, ISC BIND: 4.9.4, ISC BIND: 4.9.8, ISC BIND: 4.9.9, ISC BIND: 4.9.10, ISC BIND: 4.9, ISC BIND: 4

Type

Suspicious Activity

Vulnerability description

DNS responses for hostnames should not exceed a certain fixed length. A domain name exceeding the maximum length of 255 octets could indicate one of the following events:

When Microsoft DNS Server encounters a resource record with a domain name exceeding the maximum length of 255 octets, the resource record is ignored by the DNS server.

Versions 4.x and earlier of BIND (Berkeley Internet Name Domain, a DNS server available for most versions of Unix) do not validate the maximum domain name length of 255 octets. Hostnames longer than this length can be returned to client programs performing DNS lookups. Client programs that do not check the length of the hostnames returned may overflow internal buffers when copying this hostname, allowing a remote attacker to gain root access or execute arbitrary commands on a targeted client computer.

How to remove this vulnerability

Investigate the source of the invalid domain name. Ensure that the master DNS server is using the correct zone file. Correct any errors in the DNS zone file, such as bad DNS resource records, that are reported in the DNS error log. Ensure that security permissions are configured so that only the intended security principals have access.

— AND —

If you are using a version of BIND earlier than 4.x, upgrade to the latest version of BIND (8.2.2 patchlevel 5 or later), available from the BIND Web site. See References.

References

Microsoft TechNet, Windows NT Server Concepts and Planning Manual
Chapter 9 - Monitoring Events
http://www.microsoft.com/technet/winnt/Winntas/manuals/concept/xcp09.asp

Internet Software Consortium (ISC) Web site
Current release
http://www.isc.org/products/BIND/

ISS X-Force
DNS hostname exceeding maximum length
http://www.iss.net/security_center/static/636.php