6027221 2001-01-29 15:50 -0800 /39 rader/ Max Vision <vision@WHITEHATS.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-30 20:16 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: vision@WHITEHATS.COM
Mottagare: Bugtraq (import) <15070>
Ärende: fingerprinting BIND 9.1.0
------------------------------------------------------------
From: Max Vision <vision@WHITEHATS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <5.0.2.1.2.20010129125423.00a7f990@127.0.0.01>
Hi,
The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard
coded chaos record called "authors". So now even if an admin changes
or suppresses their version reply string, a remote user can still
determine whether the server is running BIND 9.x. With the recent
discovery of the tsig bug in BIND there will probably be a huge rise
in version queries. Some attackers may remove ambiguity by skipping
servers that reply to authors.bind (inferring that it's bind 9.1.0
and not vulnerable).
% dig @ns.example.com authors.bind chaos txt
or
% nslookup -q=txt -class=CHAOS authors.bind. ns.example.com
Server: ns.example.com
Address: 23.23.23.23
authors.bind text = "Bob Halley"
authors.bind text = "Mark Andrews"
authors.bind text = "James Brister"
authors.bind text = "Michael Graff"
authors.bind text = "David Lawrence"
authors.bind text = "Michael Sawyer"
authors.bind text = "Brian Wellington"
authors.bind text = "Andreas Gustafsson"
The following Snort signature will detect these probes: alert UDP
$EXTERNAL any -> $INTERNAL 53 (msg: "IDS480/named-probe-authors";
content: "|07|authors|04|bind"; depth: 32; offset: 12; nocase;)
http://whitehats.com/info/IDS480
Max
(6027221) --------------------------------(Ombruten)
Kommentar i text 6028313 av Eric Limpens <eric@LIMPENS.NET>
6028313 2001-01-30 20:28 +0100 /42 rader/ Eric Limpens <eric@LIMPENS.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-31 03:40 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: eric@LIMPENS.NET
Mottagare: Bugtraq (import) <15109>
Kommentar till text 6027221 av Max Vision <vision@WHITEHATS.COM>
Ärende: Re: fingerprinting BIND 9.1.0
------------------------------------------------------------
From: Eric Limpens <eric@LIMPENS.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010130202832.A23363@limpens.net>
On Mon, Jan 29, 2001 at 03:50:31PM -0800, Max Vision wrote:
> Hi,
>
> The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded
> chaos record called "authors". So now even if an admin changes or
> suppresses their version reply string, a remote user can still determine
> whether the server is running BIND 9.x. With the recent discovery of the
> tsig bug in BIND there will probably be a huge rise in version
> queries. Some attackers may remove ambiguity by skipping servers that
> reply to authors.bind (inferring that it's bind 9.1.0 and not vulnerable).
>
> % dig @ns.example.com authors.bind chaos txt
>
For the absolute paranoid (all of us I guess), this patch will
disable at least that fingerprinting.
Eric
-------->8 cut here 8<-------
--- server.c.org Tue Jan 30 20:25:57 2001
+++ server.c Tue Jan 30 20:23:03 2001
@@ -1667,7 +1667,7 @@
CHECK(create_bind_view(&view));
ISC_LIST_APPEND(lctx.viewlist, view, link);
CHECK(create_version_zone(cctx, server->zonemgr, view));
- CHECK(create_authors_zone(server->zonemgr, view));
+/* CHECK(create_authors_zone(server->zonemgr, view));*/
dns_view_freeze(view);
view = NULL;
-------->8 cut here 8<-------
--
GIT$ d+ s+:- !a C+++ UL++++ P+++ L+++ E--- W+ N++ o K+ w--
O- M- V- PS PE Y+ PGP++ t 5 X R- tv+ b++ DI++ D
G e h+ r y?
(6028313) --------------------------------(Ombruten)
6028304 2001-01-30 19:14 -0600 /44 rader/ <buglist@SHIKAHR.COM.INTER.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-31 03:24 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: buglist@SHIKAHR.COM.INTER.NET
Mottagare: Bugtraq (import) <15105>
Ärende: Re: fingerprinting BIND 9.1.0
------------------------------------------------------------
From: buglist@SHIKAHR.COM.INTER.NET
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <E14Nlqm-000LUd-00@tuvela.shikahr.com.inter.net>
In message <5.0.2.1.2.20010129125423.00a7f990@127.0.0.01>
Max Vision writes:
> The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded
> chaos record called "authors".
[ snip ]
> % dig @ns.example.com authors.bind chaos txt
I've been playing some with BIND 9.1.0, and have found that queries
like this can be suppressed using the new "view" capability. I now
have in my named.conf, the following:
view "external-chaos" chaos {
match-clients { any; };
recursion no;
zone "." {
type hint ;
file "/dev/null";
};
};
and a similar entry for hesiod records. Queries then against either
chaos or hesiod records will come back as "servfail".
Alternatively, creating your own "bind." domain with CH, rather than
IN, records for SOA and TXT data will override hardcoded values. I've
also got a "bind." domain that has this record:
version.bind. 0 ch txt "Who knows"
so that if I don't use a "view" to block chaos records, then at least
I give out only information that I want to give out.
--
Randall Raemon
shikahr.com.inter.net, email to rlr
(6028304) ------------------------------------------
6032072 2001-01-31 08:15 -0700 /87 rader/ William D. Colburn (aka Schlake) <wcolburn@NMT.EDU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-31 19:00 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: wcolburn@NMT.EDU
Mottagare: Bugtraq (import) <15112>
Kommentar till text 6028304 av <buglist@SHIKAHR.COM.INTER.NET>
Ärende: Re: fingerprinting BIND 9.1.0
------------------------------------------------------------
From: "William D. Colburn (aka Schlake)" <wcolburn@NMT.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010131081500.A28195@nmt.edu>
The FAQ file that comes with the distribution already covers all this.
While it used to seem like a good idea to obfuscate version numbers,
things like nmap can be written for just about any internet service
which would make version obfuscation just a false sense of security.
Even if your version is obscured, a known exploit will still work
against it if someone tries. I agree with the BIND people that there
isn't much point in hiding that information.
FAQ>Q: How do I restrict people from looking up the server version?
FAQ>
FAQ>A: Put a "version" option containing something other than the real
FAQ>version in the "options" section of named.conf. Note doing this will
FAQ>not prevent attacks and may impede people trying to diagnose problems
FAQ>with your server. Also it is possible to "fingerprint" nameservers to
FAQ>determine their version.
FAQ>
FAQ>Q: How do I restrict only remote users from looking up the server
FAQ>version?
FAQ>
FAQ>A: The following view statement will intercept lookups as the internal
FAQ>view that holds the version information will be matched last. The
FAQ>caveats of the previous answer still apply, of course.
FAQ>
FAQ> view "chaos" chaos {
FAQ> match-clients { <those to be refused>; };
FAQ> allow-query { none; };
FAQ> zone "." {
FAQ> type hint;
FAQ> file "/dev/null"; // or any empty file
FAQ> };
FAQ> };
On Tue, Jan 30, 2001 at 07:14:20PM -0600, buglist@SHIKAHR.COM.INTER.NET wrote:
> Date: Tue, 30 Jan 2001 19:14:20 -0600
> From: buglist@SHIKAHR.COM.INTER.NET
> Subject: Re: fingerprinting BIND 9.1.0
> To: BUGTRAQ@SECURITYFOCUS.COM
>
> In message <5.0.2.1.2.20010129125423.00a7f990@127.0.0.01>
> Max Vision writes:
>
> > The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded
> > chaos record called "authors".
>
> [ snip ]
>
> > % dig @ns.example.com authors.bind chaos txt
>
> I've been playing some with BIND 9.1.0, and have found that queries
> like this can be suppressed using the new "view" capability. I now
> have in my named.conf, the following:
>
> view "external-chaos" chaos {
> match-clients { any; };
> recursion no;
> zone "." {
> type hint ;
> file "/dev/null";
> };
> };
>
> and a similar entry for hesiod records. Queries then against either
> chaos or hesiod records will come back as "servfail".
>
> Alternatively, creating your own "bind." domain with CH, rather than
> IN, records for SOA and TXT data will override hardcoded values. I've
> also got a "bind." domain that has this record:
>
> version.bind. 0 ch txt "Who knows"
>
> so that if I don't use a "view" to block chaos records, then at least
> I give out only information that I want to give out.
>
> --
> Randall Raemon
> shikahr.com.inter.net, email to rlr
--
William Colburn, "Sysprog" <wcolburn@nmt.edu>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn
(6032072) ------------------------------------------
Kommentar i text 6032917 av Lucas Holt <luke@FOOLISHGAMES.COM>
Kommentar i text 6036906 av Russell Fulton <r.fulton@AUCKLAND.AC.NZ>
6032917 2001-01-31 14:13 -0500 /34 rader/ Lucas Holt <luke@FOOLISHGAMES.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-31 23:54 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: luke@FOOLISHGAMES.COM
Mottagare: Bugtraq (import) <15121>
Kommentar till text 6032072 av William D. Colburn (aka Schlake) <wcolburn@NMT.EDU>
Ärende: Re: fingerprinting BIND 9.1.0
------------------------------------------------------------
From: Lucas Holt <luke@FOOLISHGAMES.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3A7863C2.1B5B387C@foolishgames.com>
Hiding a version number does not someone who knows what they are
doing, but it does stop script kiddies out there. If a 14 year old
kid can not figure out what they are dealing with, they will move on
to easier targets.
"William D. Colburn (aka Schlake)" wrote:
> The FAQ file that comes with the distribution already covers all this.
> While it used to seem like a good idea to obfuscate version numbers,
> things like nmap can be written for just about any internet service
> which would make version obfuscation just a false sense of security.
> Even if your version is obscured, a known exploit will still work
> against it if someone tries. I agree with the BIND people that there
> isn't much point in hiding that information.
>
>
--
Lucas Holt
Luke@FoolishGames.com
___________________________________________________
http://www.foolishgames.com
"The Macintosh software might have become the successor to MS-DOS.
OS/2 or UNIX might have. As it happened, MS-DOS was succeeded by
Windows..."
--Bill Gates, The Road Ahead
If Windows never happened, what would be on your desktop?
(6032917) --------------------------------(Ombruten)
Kommentar i text 6037026 av Hendy * <hendy@TEAM-TESO.NET>
6037026 2001-01-31 08:17 +0100 /32 rader/ Hendy * <hendy@TEAM-TESO.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-01 19:14 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: hendy@TEAM-TESO.NET
Mottagare: Bugtraq (import) <15133>
Kommentar till text 6032917 av Lucas Holt <luke@FOOLISHGAMES.COM>
Ärende: Re: fingerprinting BIND 9.1.0
------------------------------------------------------------
From: Hendy * <hendy@TEAM-TESO.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010131081741.A14647@team-teso.net>
On Wed, Jan 31, 2001 at 02:13:07PM -0500, Lucas Holt wrote:
> Hiding a version number does not someone who knows what they are doing, but it
> does stop script kiddies out there. If a 14 year old kid can not figure out what
> they are dealing with, they will move on to easier targets.
agreed, but it won't just stop kiddies, but more important, massowns,
which take place e.g. to build up distributed flood networks, won't
attack your host, if you changed the version string.
on the other hand, a changed version string could also ''attract''
hackers, who want to break into that host.
i am pretty sure bind fingerprinting tools will shop up when people
will remove/change their named's version strings.
take care,
-hendy
--
. ,!. . _ ___ ___________________________________________________ __ _ .
,j't. hendy@team-teso.org [TESO] or hendy@xentix.homeip.net [HOME]
K=-=:: -=-> fax & vbox: +49-2561-959-55697 gsm/sms: hendy-sms@team-teso.net
"=i.: [-' PGP: ``finger hendy@team-teso.net'' [www.team-teso.net/hendy]
/;:":.\ PGP Fprint: 5AAE 5111 2C39 5E86 9D45 70C3 CA8F 0C20 EF27 264A
. ;}' '(, . _ ___ ____________________________________________________ . :wq!
(6037026) --------------------------------(Ombruten)
Kommentar i text 6041660 av Cy Schubert - ITSD Open Systems Group <Cy.Schubert@UUMAIL.GOV.BC.CA>
6041660 2001-02-02 08:24 -0800 /36 rader/ Cy Schubert - ITSD Open Systems Group <Cy.Schubert@UUMAIL.GOV.BC.CA>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-02 19:42 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: Cy.Schubert@uumail.gov.bc.ca
Mottagare: Bugtraq (import) <15172>
Kommentar till text 6037026 av Hendy * <hendy@TEAM-TESO.NET>
Ärende: Re: fingerprinting BIND 9.1.0
------------------------------------------------------------
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@UUMAIL.GOV.BC.CA>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <200102021624.f12GOaE96582@cwsys.cwsent.com>
In message <20010131081741.A14647@team-teso.net>, Hendy * writes:
> On Wed, Jan 31, 2001 at 02:13:07PM -0500, Lucas Holt wrote:
> > Hiding a version number does not someone who knows what they are doing, but
> it
> > does stop script kiddies out there. If a 14 year old kid can not figure ou
> t what
> > they are dealing with, they will move on to easier targets.
>
> agreed, but it won't just stop kiddies, but more important, massowns,
> which take place e.g. to build up distributed flood networks, won't attack
> your host, if you changed the version string.
>
> on the other hand, a changed version string could also ''attract'' hackers,
> who want to break into that host.
>
> i am pretty sure bind fingerprinting tools will shop up when people will
> remove/change their named's version strings.
Changing the version string on a 8.2.3 or 9.1.0 server to report
4.9.5 would be a better solution. Script kiddies and more
experienced crackers will attempt BIND4 exploits on your BIND8 or 9
server and confuse them for a while. Hopefully by then you would
have noticed the activity. Automated notification to one's pager
will help.
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC
(6041660) --------------------------------(Ombruten)
6036906 2001-02-01 13:12 +1300 /32 rader/ Russell Fulton <r.fulton@AUCKLAND.AC.NZ>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-01 18:56 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: r.fulton@AUCKLAND.AC.NZ
Mottagare: Bugtraq (import) <15131>
Kommentar till text 6032072 av William D. Colburn (aka Schlake) <wcolburn@NMT.EDU>
Ärende: Re: fingerprinting BIND 9.1.0
------------------------------------------------------------
From: Russell Fulton <r.fulton@AUCKLAND.AC.NZ>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <SIMEON.10102011309.O6845@bluebottle.itss>
On Wed, 31 Jan 2001 08:15:01 -0700 "William D. Colburn (aka Schlake)"
<wcolburn@NMT.EDU> wrote:
> The FAQ file that comes with the distribution already covers all this.
> While it used to seem like a good idea to obfuscate version numbers,
> things like nmap can be written for just about any internet service
> which would make version obfuscation just a false sense of security.
> Even if your version is obscured, a known exploit will still work
> against it if someone tries. I agree with the BIND people that there
> isn't much point in hiding that information.
>
Me too.
Obfuscated version numbers also make internal auditing much more
difficult.
I see many automated attacks (particularly against ftp) which make no
effort to work out which software is running and what hardware it is
running on.
Kiddies don't look and professionals won't be fooled, you will only
fool a few in the middle.
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
(6036906) ------------------------------------------