FreeBSD

- March 5, 2009

the first security related bug in djbdns

As someone put it, hell froze over today.

Daniel Bernstein aka. djb for the first time have paid out the promised 1000$ for the first security related bug in djbdns.

Basically if you have a subdomain (a setup that is discouraged, but supported) in control by a third party that third party can poison your cache to send out wrong answers to dns queries. Details of the bug and how to exploit it can be found here.

But still the first alpha of djbdns was made public 10 years ago and this is the first security bug. (The current version of djbdns was released in February 2001) That is a really good security record, specially considering that a big company like Microsoft can’t even manage 10 months without new security bugs…

So there will be a new version released soon, and djb says there will be a new security guarantee.

Here is the original announcement from Bernstein:

Date: 4 Mar 2009 01:34:21 -0000
From: D. J. Bernstein
To: dns@list.cr.yp.to
Subject: djbdns<=1.05 lets AXFRed subdomains overwrite domains

If the administrator of example.com publishes the example.com DNS data through tinydns and axfrdns, and includes data for sub.example.com transferred from an untrusted third party, then that third party can control cache entries for example.com, not just sub.example.com. This is the result of a bug in djbdns pointed out by Matthew Dempsky. (In short, axfrdns compresses some outgoing DNS packets incorrectly.)

Even though this bug affects very few users, it is a violation of the expected security policy in a reasonable situation, so it is a security hole in djbdns. Third-party DNS service is discouraged in the djbdns documentation but is nevertheless supported. Dempsky is hereby awarded $1000.

The next release of djbdns will be backed by a new security guarantee. In the meantime, if any users are in the situation described above, those users are advised to apply Dempsky’s patch and requested to accept my apologies. The patch is also recommended for other users; it corrects the bug without any side effects. A copy of the patch appears below.

—D. J. Bernstein
Research Professor, Computer Science, University of Illinois at Chicago

— response.c.orig 2009-02-24 21:04:06.000000000 -0800
+++ response.c 2009-02-24 21:04:25.000000000 -0800
@@ -34,7 +34,7 @@
uint16_pack_big(buf,49152 + name_ptr[i]);
return response_addbytes(buf,2);
}
- if (dlen <= 128)
+ if ((dlen <= 128) && (response_len < 16384))
if (name_num < NAMES) {
byte_copy(name[name_num],dlen,d);
name_ptr[name_num] = response_len;

More From chrisarn

Blog Margeting Related Posts Plugin For chrisarnAsk chrisarn To Recommend Your Posts Blog Marketing Related Posts Plugin Counter

Post a Comment

© 2012 - Chris ramblings - Powered by WordPress. Design by WPThemeDesigner.com.