lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 30 Oct 2011 09:05:52 +1100
From: Mark Andrews <marka@....org>
To: nix@...roxylists.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: bind-9.8.1 remote code exec exploit?


In message <c2122821abc4d89254092500a8814215.squirrel@...eframe.net>, nix@...ro
xylists.com writes:
> Hello list.
> 
> I've source compile of BIND 9.8.1 on the server.
> 
> I've been investigating weird iptables messages as follows:
> 
> Oct 29 14:53:13 NIX kernel: IN= OUT=eth0 SRC=MY_SERVER_IP DST=62.80.128.29
> LEN=114 TOS=0x00 PREC=0x00 TTL=64 ID=31795 PROTO=UDP SPT=53 DPT=5060
> LEN=94
> 
> I received a message from my ISP abuse that my server is scanning SIP port
> 5060 and I set the firewall rule to deny/log all UDP connections out of
> the box to port 5060 to get timestamps for further investigation. This
> happened before I set the firewall rule.

You are just blocking legitimate reply traffic.  Your ISP is probably
misclassifying traffic it sees destined to port 5060.  Nameservers
randomly pick source ports to make it harder for off path attackers
to spoof reply packets and, unless something is already using port
5060, port 5060 is fair game.

You can stop your own nameservers using 5060 as a query source port
with avoid-v4-udp-ports but it doesn't do much to help with queries
to you.

	avoid-v4-udp-ports { 5060; };
	avoid-v6-udp-ports { 5060; };

You should also adjust your firewall to let packets sourced from
port 53 on your nameservers to any port go through.  That way you
won't get false positives.

Mark

> /var/log/named.log
> 
> 05-Oct-2011 06:05:58.093 client: warning: client 81.25.53.2#5060: error
> sending response: host unreachable
> 07-Oct-2011 13:14:38.739 client: warning: client 221.210.153.6#5060: error
> sending response: host unreachable
> 08-Oct-2011 00:43:22.881 client: warning: client 212.59.18.8#5060: error
> sending response: host unreachable
> 08-Oct-2011 13:42:58.943 client: warning: client 202.43.160.50#5060: error
> sending response: host unreachable
> 12-Oct-2011 10:26:20.586 client: warning: client 213.77.43.115#5060: error
> sending response: host unreachable
> 14-Oct-2011 15:42:12.676 client: warning: client 193.210.19.19#5060: error
> sending response: host unreachable
> 15-Oct-2011 16:26:16.573 client: warning: client 202.44.204.36#5060: error
> sending response: host unreachable
> 16-Oct-2011 20:52:44.570 client: warning: client 200.63.56.5#5060: error
> sending response: host unreachable
> 17-Oct-2011 01:48:49.617 client: warning: client 84.22.23.4#5060: error
> sending response: host unreachable
> 23-Oct-2011 12:34:26.255 client: warning: client 208.69.35.15#5060: error
> sending response: host unreachable
> 25-Oct-2011 01:50:17.382 client: warning: client 84.88.226.10#5060: error
> sending response: host unreachable
> 25-Oct-2011 15:23:51.384 client: warning: client 195.222.32.20#5060: error
> sending response: host unreachable
> 29-Oct-2011 14:53:13.208 client: warning: client 62.80.128.29#5060: error
> sending response: host unreachable
> 
> Timestamps matches exactly to kernel's firewall log. Every time BIND error
> log has the above entry, the box tries to scan for SIP port 5060.
> 
> Is it possible to scan ports through BIND or exec code by sending a
> specially crafted request?
> 
> PS. I have been tracking this issue for a week and no other timestamps
> matches exactly to this isssue. I have currently grsec' exec logging on
> and hoping this issue occurs soon so I can see will it execute extra code
> under the user 'bind'.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@....org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ