Thursday, July 30, 2009
Crash a BIND9 server
Bind is reporting a security flaw in their bind9 distribution. It turns out that you can cause a bind server to crash remote. As bind is one of the most used DNS servers arround the world and DNS is the glue which makes the internet stick together it can be considered quite a high risk. It turns out that you can crash a server by sending it a dynamic update for a zone of which the server is the DNS master. Or as it is stated on isc.org:
Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert.
This vulnerability affects all servers that are masters for one or more zones – it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround.
dns_db_findrdataset() fails when the prerequisite section of the dynamic update message contains a record of type “ANY” and where at least one RRset for this FQDN exists on the server.
db.c:659: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed
exiting (due to assertion failure).
Now if we take a look at the dynamic update part:
Dynamic Update is a method for adding, replacing or deleting records in a master server by sending it a special form of DNS messages. The format and meaning of these messages is specified in RFC 2136.
Dynamic update is enabled on a zone-by-zone basis, by including an allow-update or update-policy clause in the zone statement.
Updating of secure zones (zones using DNSSEC) follows RFC 3007: RRSIG and NSEC records affected by updates are automatically regenerated by the server using an online zone key. Update authorization is based on transaction signatures and an explicit server policy.
The dynamic update can be done via the nsupdate command. I will not explain on this weblog how you can crash a BIND9 machine however I can confirm the thread is real and with a little understanding of BIND and some research it is possible. I have been using a test environment to check it and if you are running a BIND9 server you might want to do dive a little deeper into this.