[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] bind-9.8.1 remote code exec exploit?
- To: "Mark Andrews" <marka@xxxxxxx>
- Subject: Re: [Full-disclosure] bind-9.8.1 remote code exec exploit?
- From: nix@xxxxxxxxxxxxxxxx
- Date: Sun, 30 Oct 2011 16:49:20 +0200
>
> In message <c2122821abc4d89254092500a8814215.squirrel@xxxxxxxxxxxxx>,
> nix@mypro
> xylists.com writes:
>> Hello list.
>>
>> I've source compile of BIND 9.8.1 on the server.
>>
>> I've been investigating weird iptables messages as follows:
>>
>> Oct 29 14:53:13 NIX kernel: IN= OUT=eth0 SRC=MY_SERVER_IP
>> DST=62.80.128.29
>> LEN=114 TOS=0x00 PREC=0x00 TTL=64 ID=31795 PROTO=UDP SPT=53 DPT=5060
>> LEN=94
>>
>> I received a message from my ISP abuse that my server is scanning SIP
>> port
>> 5060 and I set the firewall rule to deny/log all UDP connections out of
>> the box to port 5060 to get timestamps for further investigation. This
>> happened before I set the firewall rule.
>
> You are just blocking legitimate reply traffic. Your ISP is probably
> misclassifying traffic it sees destined to port 5060. Nameservers
> randomly pick source ports to make it harder for off path attackers
> to spoof reply packets and, unless something is already using port
> 5060, port 5060 is fair game.
>
> You can stop your own nameservers using 5060 as a query source port
> with avoid-v4-udp-ports but it doesn't do much to help with queries
> to you.
>
> avoid-v4-udp-ports { 5060; };
> avoid-v6-udp-ports { 5060; };
>
> You should also adjust your firewall to let packets sourced from
> port 53 on your nameservers to any port go through. That way you
> won't get false positives.
>
> Mark
>
>> /var/log/named.log
>>
>> 05-Oct-2011 06:05:58.093 client: warning: client 81.25.53.2#5060: error
>> sending response: host unreachable
>> 07-Oct-2011 13:14:38.739 client: warning: client 221.210.153.6#5060:
>> error
>> sending response: host unreachable
>> 08-Oct-2011 00:43:22.881 client: warning: client 212.59.18.8#5060: error
>> sending response: host unreachable
>> 08-Oct-2011 13:42:58.943 client: warning: client 202.43.160.50#5060:
>> error
>> sending response: host unreachable
>> 12-Oct-2011 10:26:20.586 client: warning: client 213.77.43.115#5060:
>> error
>> sending response: host unreachable
>> 14-Oct-2011 15:42:12.676 client: warning: client 193.210.19.19#5060:
>> error
>> sending response: host unreachable
>> 15-Oct-2011 16:26:16.573 client: warning: client 202.44.204.36#5060:
>> error
>> sending response: host unreachable
>> 16-Oct-2011 20:52:44.570 client: warning: client 200.63.56.5#5060: error
>> sending response: host unreachable
>> 17-Oct-2011 01:48:49.617 client: warning: client 84.22.23.4#5060: error
>> sending response: host unreachable
>> 23-Oct-2011 12:34:26.255 client: warning: client 208.69.35.15#5060:
>> error
>> sending response: host unreachable
>> 25-Oct-2011 01:50:17.382 client: warning: client 84.88.226.10#5060:
>> error
>> sending response: host unreachable
>> 25-Oct-2011 15:23:51.384 client: warning: client 195.222.32.20#5060:
>> error
>> sending response: host unreachable
>> 29-Oct-2011 14:53:13.208 client: warning: client 62.80.128.29#5060:
>> error
>> sending response: host unreachable
>>
>> Timestamps matches exactly to kernel's firewall log. Every time BIND
>> error
>> log has the above entry, the box tries to scan for SIP port 5060.
>>
>> Is it possible to scan ports through BIND or exec code by sending a
>> specially crafted request?
>>
>> PS. I have been tracking this issue for a week and no other timestamps
>> matches exactly to this isssue. I have currently grsec' exec logging on
>> and hoping this issue occurs soon so I can see will it execute extra
>> code
>> under the user 'bind'.
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx
>
Thanks everyone for clarification. The port scan issue I had with the
other host actually happened before I set up name server. At that time I
could not determine what is causing it and I left this issue alone due to
lot of other work.
Then I set a firewall rule to log/deny UDP port 5060. After wards I
installed name server on this server and started to see those iptables
messages and though that something is connection out of the box to port
5060 that should not.
I was not aware that BIND uses random ports and obviously 5060 as well.
Hopefully I explained clear enough what causes this confusion.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/