DNS hostname exceeding maximum length (DNS_Hostname_Overflow_Verylong)

About this signature or vulnerability

RealSecure Desktop, Proventia Server IPS for Linux technology, RealSecure Desktop Protector 3.6, Proventia Network IPS, Proventia Desktop, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection, RealSecure Sentry, RealSecure Guard, BlackICE PC Protection, BlackICE Agent for Server, RealSecure Server Sensor, RealSecure Network:

This signature detects domain names that have a length greater than 900 characters.

This signature replaces DNS_Hostname_Overflow.

Default risk level

High risk vulnerability High

Sensors that have this signature

RealSecure Desktop: baseline, Proventia Server IPS for Linux technology: 1.0, RealSecure Desktop Protector 3.6: baseline, Proventia Network IPS: 2.0, Proventia Desktop: 8.0.614.1, Proventia Network IDS: A Series, Proventia-G 1.1 and earlier: G Series, Proventia Network MFS: 1.0, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE Server Protection: 3.6.cbd, RealSecure Sentry: 3.6, RealSecure Guard: 3.6, BlackICE PC Protection: 3.6.cbd, BlackICE Agent for Server: 3.6, RealSecure Desktop Protector: 3.6, RealSecure Server Sensor: 7.0, RealSecure Network: 7.0

Systems affected

Various vendors Any application, DNS DNS, Microsoft Windows NT: 4.0, Microsoft Windows 2000, ISC BIND: 4.9.5, ISC BIND: 4.9.5 P1, ISC BIND: 4.9.6, ISC BIND: 4.9.7, ISC BIND: 4.9.2, ISC BIND: 4.9.3, ISC BIND: 4.9.4, ISC BIND: 4.9.8, ISC BIND: 4.9.9, ISC BIND: 4.9.10, ISC BIND: 4.9, ISC BIND: 4

Type

Suspicious Activity

Vulnerability description

DNS responses for hostnames should not exceed a certain fixed length. A domain name exceeding the maximum length of 255 octets could indicate one of the following events:

a zone file error
incorrectly entered hostnames in nslookup queries
an attempt by an attacker to manipulate the DNS server

When Microsoft DNS Server encounters a resource record with a domain name exceeding the maximum length of 255 octets, the resource record is ignored by the DNS server.

Versions 4.x and earlier of BIND (Berkeley Internet Name Domain, a DNS server available for most versions of Unix) do not validate the maximum domain name length of 255 octets. Hostnames longer than this length can be returned to client programs performing DNS lookups. Client programs that do not check the length of the hostnames returned may overflow internal buffers when copying this hostname, allowing a remote attacker to gain root access or execute arbitrary commands on a targeted client computer.

How to remove this vulnerability

Investigate the source of the invalid domain name. Ensure that the master DNS server is using the correct zone file. Correct any errors in the DNS zone file, such as bad DNS resource records, that are reported in the DNS error log. Ensure that security permissions are configured so that only the intended security principals have access.

— AND —

If you are using a version of BIND earlier than 4.x, upgrade to the latest version of BIND (8.2.2 patchlevel 5 or later), available from the BIND Web site. See References.

References

Microsoft TechNet, Windows NT Server Concepts and Planning Manual
Chapter 9 - Monitoring Events
http://www.microsoft.com/technet/winnt/Winntas/manuals/concept/xcp09.asp

Internet Software Consortium (ISC) Web site
Current release
http://www.isc.org/products/BIND/

ISS X-Force
DNS hostname exceeding maximum length
http://www.iss.net/security_center/static/636.php