{"vuid":"VU#13145","idnumber":"13145","name":"BIND memcpy not bounded in case T_SIG of rrextract()","keywords":["BIND","ISC","DNS","named","T_SIG","rrextract"],"overview":"Version 8.2.2 of BIND (current circa November 1999) contained a buffer overflow in the routine that converts records from network format to database format.","clean_desc":"Version 8.2.2 of BIND includes some checks for the correct format of a signature record in DNSSEC that previous versions did not. Specifically, in the file ns_resp.c, there is a routine called 'rrextract'. (rr = \"resource record\") . rrextract contains a large switch block that converts resource records from the network format to the database format, doing different things depending on the type of record received. For case T_SIG, it decodes the signature records. When it gets to the name of the signing domain, there is the following block of code: /* then the signer's name */\n                n = dn_expand(msg, eom, cp, (char *)cp1, (sizeof data) - 18); if (n < 0 || n + NS_SIG_SIGNER > dlen) {\n                        hp->rcode = FORMERR; return (-1); Slightly later, there is code that reads: n = dlen - (NS_SIG_SIGNER + n); and then... memcpy(cp1, cp, n); If an intruder can cause n to be large, the third argument to the memcpy will be negative. The third argument is an unsigned int, so it will be interpreted as a large positive. Thus you can indeed overflow a buffer, but it is a very, very large (~4GB on a 32-bit machine); it may not be possible to use this overflow to execute code. dn_expand is a routine that actually converts the resource record from the wire format to the database format. It returns -1 if there is an error in decoding the resource record. NS_SIG_SIGNER  is defined in nameser.h as follows: /* Offsets into SIG record rdata to find various values */ #define NS_SIG_SIGNER   18      /* Domain name of who signed it */ Previous versions of bind do not include the checks related to NS_SIG_SIGNER, only a check for a negative value returned from dn_expand (an error). Without this check it appear that if a nameserver returns a malformed value, that bind will crash","impact":"Intruders may be able to interrupt the normal operations of your nameserver.","resolution":"Upgrade to BIND 8.2.2 patch level 5 or later.","workarounds":"","sysaffected":"","thanks":"Thanks to ISC for reporting this problem.","author":"This document was written by Shawn V Hernan.","public":["http://www.isc.org/products/BIND/bind-security-19991108.html","Redhat Security Advisory RHSA-1999:054-01","http://www.debian.org/security/1999/19991116"],"cveids":["CVE-1999-0835"],"certadvisory":"CA-1999-14","uscerttechnicalalert":null,"datecreated":"2000-07-18T15:38:47Z","publicdate":"1999-11-10T00:00:00Z","datefirstpublished":"2001-11-15T04:02:09Z","dateupdated":"2001-11-15T04:08:18Z","revision":7,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"10","cam_population":"15","cam_impact":"9","cam_easeofexploitation":"7","cam_attackeraccessrequired":"20","cam_scorecurrent":"8.859375","cam_scorecurrentwidelyknown":"10.63125","cam_scorecurrentwidelyknownexploited":"17.71875","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":8.859375,"vulnote":null}