Date: Sat, 24 Feb 2001 01:09:42 -0500 (EST) From: Robert Watson <rwatson@freebsd.org> To: Christopher Farley <chris@northernbrewer.com> Cc: freebsd-security@freebsd.org Subject: Re: Bind TSIG exploit Message-ID: <Pine.NEB.3.96L.1010224010605.72674B-100000@fledge.watson.org> In-Reply-To: <20010222023233.A629@northernbrewer.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 22 Feb 2001, Christopher Farley wrote: > My non-technical armchair analysis of the core dump indicates the TSIG > exploit (based on the presence of ';; TSIG invalid (%s)' at the top of > the core file -- how's that for non-technial?). A coredump generally corresponds with a failed attempt to exploit a bug present -- a successful exploit will not result in the process being killed and dumped, instead it generally results in a /bin/sh with I/O bound to the socket. However, that doesn't mean that you weren't compromised: the unsuccessful compromise could be a result of using an exploit targetted at another operating system and/or hardware platform (probably Linux or Solaris, as those are popular targets), or it could be the result of an incorrect offset being used when overflowing the buffer, in which case they might have the right exploit for your machine, they just need to work through the offset space to find the right one for your machine. As Kris recommended, you probably want to reinstall the machine from scratch, and subscribe to the FreeBSD security-notifications mailing list if you haven't already. Extracting the exploit is probably not a useful exercise as (unless it exploits a new/different bug), an exploit has already been posted and is widely circulated, so chances are it is the same one. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010224010605.72674B-100000>