https://www.isc.org/products/BIND/bind-security-19991108.html


Name: "nxt bug"

   Versions affected:     8.2, 8.2 patchlevel 1, 8.2.1
   Severity:     CRITICAL
   Exploitable:     Remotely
   Type:     Access possible

Description:

   A bug in the processing of NXT records can theoretically allow an
   attacker to gain access to the system running the DNS server at
   whatever privilege level the DNS server runs at.

Workarounds:

   None.

Active Exploits:

   At this time, ISC is unaware of any active exploits of this
   vulnerability however given the potential access this vulnerability
   represents, it is probable scripts will be created in the near future
   that make use of this vulnerability.



Reply-To: Anonymous <nobody@REPLAY.COM>
Comments:     This message did not originate from the Sender address above.
It
              was remailed automatically by anonymizing remailer software.
              Please report problems or inappropriate use to the remailer
              administrator at <abuse@replay.com>.
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM

Ooh, those pesky NXT records.  Like I process those every day.
Fascinating read in RFC 2535, but suppose I don't have any NXT
records in my own zones, under what circumstances will my DNS server
commit the sin of "the processing of NXT records"?  In other words,
are all of us vulnerable (even caching-only name servers if so, I
imagine!), or only people with NXT records?  This makes a big difference!


Subject:      Re: your mail
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM

On Thu, 11 Nov 1999, Anonymous wrote:

> Ooh, those pesky NXT records.  Like I process those every day.
> Fascinating read in RFC 2535, but suppose I don't have any NXT
> records in my own zones, under what circumstances will my DNS server
> commit the sin of "the processing of NXT records"?  In other words,
> are all of us vulnerable (even caching-only name servers if so, I
> imagine!), or only people with NXT records?  This makes a big difference!

Caching-only servers are also vulnerable.  The NXT record is no different
that any other DNS record in this case.  If someone is able to make your
server fetch a maliciously-constructed NXT record, it will cause problems.
A query to a caching server will force the server to send a recursive
query, which makes the caching server vulnerable.

Brian


Date:         Fri, 12 Nov 1999 05:20:55 +0100
From: Alain Thivillon <Alain.Thivillon@HSC.FR>
Subject:      Re: your mail
To: BUGTRAQ@SECURITYFOCUS.COM

---Executing: shownonascii
This message contains non-ASCII text, but the iso-8859-1 font
has apparently not yet been installed on this machine.
(There is no directory named /usr/X11R6/lib/X11/fonts/misc.)
What follows may be partially unreadable, but the English (ASCII) parts
should still be readable.

Anonymous <nobody@REPLAY.COM> écrivait (wrote) :

> commit the sin of "the processing of NXT records"?  In other words,
> are all of us vulnerable (even caching-only name servers if so, I
> imagine!), or only people with NXT records?  This makes a big difference!

[ NB : I can be wrong, don't flame me :) ]

Examing diffs between 8.2.1 and 8.2.2PL3 show rewrite of code handling
external response to an NXT query coming from bind himself (see
bin/named/ns_resp.c). So i suppose, if your name server is public and
recusive, external attacker can query your bind for NXT record in
another zone. If he has control of name server of this zone, he can
send offending responses and trigger bug.

I suspect every public server with 8.2 <= bind < 8.2.3PL3 is vulnerable.



Reply-To: "David R. Conrad" <David_Conrad@ISC.ORG>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
Organization: Internet Software Consortium
X-To:         Anonymous <nobody@REPLAY.COM>
X-cc:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM

Hi,

The problem is with the reception of NXT records, so it doesn't matter what
you have in your own zone files.  Any nameserver running versions 8.2, 8.2
patchlevel 1, or 8.2.1 can be susceptible to the attack (albeit there are
some
pre-conditions that must be met for the issue to even come up).  We, of
course, recommend upgrading.  In addition, we recommend running your
nameserver as non-root and chrooted (I know setting this up is non-trivial --
it'll be much, much easier in BINDv9).

Rgds,
-drc

Anonymous wrote:
> Ooh, those pesky NXT records.  Like I process those every day.
> Fascinating read in RFC 2535, but suppose I don't have any NXT
> records in my own zones, under what circumstances will my DNS server
> commit the sin of "the processing of NXT records"?  In other words,
> are all of us vulnerable (even caching-only name servers if so, I
> imagine!), or only people with NXT records?  This makes a big difference!