Signature Detail

DNS: /bin Executable File Path

This signature detects DNS packets containing executable file paths. This almost always indicates that an exploit attempt is being made to spawn a command-line; thus allowing attackers to execute commands on the DNS server.

Extended Description

BIND is a server program that implements the domain name service protocol. It is in extremely wide use on the Internet, in use by most of the DNS servers. Version 8 of BIND contains a overflow that may be exploitable to remote attackers. Due to a bug that is present when handling invalid transaction signatures, it is possible to overwrite some memory locations with a known value. If the request came in via the UDP transport then the area partially overwriten is a stack frame in named. If the request came in via the TCP transport then the area partically overwriten is in the heap and overwrites malloc's internal variables. This can be exploited to execute shellcode with the privileges of named (typically root).

Affected Products

• ISC BIND 8.2.0
• ISC BIND 8.2.1
• ISC BIND 8.2.2
• ISC BIND 8.2.2 P1
• ISC BIND 8.2.2 P2
• ISC BIND 8.2.2 P3
• ISC BIND 8.2.2 P4
• ISC BIND 8.2.2 P5
• ISC BIND 8.2.2 P6
• ISC BIND 8.2.2 P7

References

• BugTraq: 2302
• CVE: CVE-2001-0010
• URL: http://www.debian.org/security/2001/dsa-026
• URL: http://www.cert.org/advisories/CA-2001-02.html