search menu icon-carat-right cmu-wordmark

CERT Coordination Center

BIND memcpy not bounded in case T_SIG of rrextract()

Vulnerability Note VU#13145

Original Release Date: 2001-11-15 | Last Revised: 2001-11-15

Overview

Version 8.2.2 of BIND (current circa November 1999) contained a buffer overflow in the routine that converts records from network format to database format.

Description

Version 8.2.2 of BIND includes some checks for the correct format of a signature record in DNSSEC that previous versions did not. Specifically, in the file ns_resp.c, there is a routine called 'rrextract'. (rr = "resource record"). rrextract contains a large switch block that converts resource records from the network format to the database format, doing different things depending on the type of record received. For case T_SIG, it decodes the signature records. When it gets to the name of the signing domain, there is the following block of code:

/* then the signer's name */
n = dn_expand(msg, eom, cp, (char *)cp1, (sizeof data) - 18);
if (n < 0 || n + NS_SIG_SIGNER > dlen) {
hp->rcode = FORMERR;
return (-1);
}

Slightly later, there is code that reads:

n = dlen - (NS_SIG_SIGNER + n);

and then...

memcpy(cp1, cp, n);

If an intruder can cause n to be large, the third argument to the memcpy will be negative. The third argument is an unsigned int, so it will be interpreted as a large positive. Thus you can indeed overflow a buffer, but it is a very, very large (~4GB on a 32-bit machine); it may not be possible to use this overflow to execute code.

dn_expand is a routine that actually converts the resource record from the wire format to the database format. It returns -1 if there is an error in decoding the resource record.

NS_SIG_SIGNER is defined in nameser.h as follows:

/* Offsets into SIG record rdata to find various values */

#define NS_SIG_SIGNER 18 /* Domain name of who signed it */

Previous versions of bind do not include the checks related to NS_SIG_SIGNER, only a check for a negative value returned from dn_expand (an error). Without this check it appear that if a nameserver returns a malformed value, that bind will crash

Impact

Intruders may be able to interrupt the normal operations of your nameserver.

Solution

Upgrade to BIND 8.2.2 patch level 5 or later.

Vendor Information

13145
 

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to ISC for reporting this problem.

This document was written by Shawn V Hernan.

Other Information

CVE IDs: CVE-1999-0835
CERT Advisory: CA-1999-14
Severity Metric: 8.86
Date Public: 1999-11-10
Date First Published: 2001-11-15
Date Last Updated: 2001-11-15 04:08 UTC
Document Revision: 7

Sponsored by CISA.