Vulnerabilities > CVE-2002-1221 - Denial Of Service vulnerability in ISC BIND 8 Invalid Expiry Time

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# This plugin text was extracted from SuSE Security Advisory SUSE-SA:2002:044
#


if ( ! defined_func("bn_random") ) exit(0);

include("compat.inc");

if(description)
{
 script_id(13765);
 script_version ("1.18");
 script_cvs_date("Date: 2019/10/25 13:36:27");
 script_cve_id("CVE-2002-1219", "CVE-2002-1221");
 
 name["english"] = "SUSE-SA:2002:044: bind8";
 
 script_name(english:name["english"]);
 
 script_set_attribute(attribute:"synopsis", value:
"The remote host is missing a vendor-supplied security patch" );
 script_set_attribute(attribute:"description", value:
"The remote host is missing the patch for the advisory SUSE-SA:2002:044 (bind8).


The security research company ISS (Internet Security Services)
has discovered several vulnerabilities in the BIND8 name server,
including a remotely exploitable buffer overflow.


1.	There is a buffer overflow in the way named handles
SIG records. This buffer overflow can be exploited to
obtain access to the victim host under the account
the named process is running with.

2.	There are several Denial Of Service problems in BIND8
that allow remote attackers to terminate the name server
process.

Both vulnerabilities are addressed by this update, using patches
originating from ISC." );
 script_set_attribute(attribute:"solution", value:
"http://www.suse.de/security/2002_004_bind8.html" );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");




 script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/25");
 script_end_attributes();

 
 summary["english"] = "Check for the version of the bind8 package";
 script_summary(english:summary["english"]);
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
 family["english"] = "SuSE Local Security Checks";
 script_family(english:family["english"]);
 
 script_dependencies("ssh_get_info.nasl");
 script_require_keys("Host/SuSE/rpm-list");
 exit(0);
}

include("rpm.inc");
if ( rpm_check( reference:"bind8-8.2.3-200", release:"SUSE7.0") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"bindutil-8.2.3-200", release:"SUSE7.0") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"bind8-8.2.3-200", release:"SUSE7.1") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"bindutil-8.2.3-200", release:"SUSE7.1") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"bind8-8.2.3-200", release:"SUSE7.2") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"bindutil-8.2.3-200", release:"SUSE7.2") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"bind8-devel-8.2.3-200", release:"SUSE7.2") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"bind8-8.2.4-261", release:"SUSE7.3") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"bindutil-8.2.4-261", release:"SUSE7.3") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"bind8-devel-8.2.4-261", release:"SUSE7.3") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"bind8-8.2.4-260", release:"SUSE8.0") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"bindutil-8.2.4-260", release:"SUSE8.0") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"bind8-devel-8.2.4-260", release:"SUSE8.0") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"bind8-8.2.4-260", release:"SUSE8.1") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"bindutil-8.2.4-260", release:"SUSE8.1") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"bind8-devel-8.2.4-260", release:"SUSE8.1") )
{
 security_hole(0);
 exit(0);
}
if (rpm_exists(rpm:"bind8-", release:"SUSE7.0")
 || rpm_exists(rpm:"bind8-", release:"SUSE7.1")
 || rpm_exists(rpm:"bind8-", release:"SUSE7.2")
 || rpm_exists(rpm:"bind8-", release:"SUSE7.3")
 || rpm_exists(rpm:"bind8-", release:"SUSE8.0")
 || rpm_exists(rpm:"bind8-", release:"SUSE8.1") )
{
 set_kb_item(name:"CVE-2002-1219", value:TRUE);
 set_kb_item(name:"CVE-2002-1221", value:TRUE);
}

#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-196. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

if (NASL_LEVEL < 3000) exit(0);

include("compat.inc");

if (description)
{
  script_id(15033);
  script_version("1.29");
  script_cvs_date("Date: 2019/08/02 13:32:17");

  script_cve_id("CVE-2002-0029", "CVE-2002-1219", "CVE-2002-1220", "CVE-2002-1221");
  script_bugtraq_id(6159, 6160, 6161);
  script_xref(name:"CERT", value:"229595");
  script_xref(name:"CERT", value:"542971");
  script_xref(name:"CERT", value:"581682");
  script_xref(name:"CERT", value:"844360");
  script_xref(name:"CERT", value:"852283");
  script_xref(name:"DSA", value:"196");

  script_name(english:"Debian DSA-196-1 : bind - several vulnerabilities");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"[Bind version 9, the bind9 package, is not affected by these
problems.]

ISS X-Force has discovered several serious vulnerabilities in the
Berkeley Internet Name Domain Server (BIND). BIND is the most common
implementation of the DNS (Domain Name Service) protocol, which is
used on the vast majority of DNS servers on the Internet. DNS is a
vital Internet protocol that maintains a database of easy-to-remember
domain names (host names) and their corresponding numerical IP
addresses.

Circumstantial evidence suggests that the Internet Software Consortium
(ISC), maintainers of BIND, was made aware of these issues in
mid-October. Distributors of Open Source operating systems, including
Debian, were notified of these vulnerabilities via CERT about 12 hours
before the release of the advisories on November 12th. This
notification did not include any details that allowed us to identify
the vulnerable code, much less prepare timely fixes.

Unfortunately ISS and the ISC released their security advisories with
only descriptions of the vulnerabilities, without any patches. Even
though there were no signs that these exploits are known to the
black-hat community, and there were no reports of active attacks, such
attacks could have been developed in the meantime - with no fixes
available.

We can all express our regret at the inability of the ironically named
Internet Software Consortium to work with the Internet community in
handling this problem. Hopefully this will not become a model for
dealing with security issues in the future.

The Common Vulnerabilities and Exposures (CVE) project identified the
following vulnerabilities :

  - CAN-2002-1219: A buffer overflow in BIND 8 versions
    8.3.3 and earlier allows a remote attacker to execute
    arbitrary code via a certain DNS server response
    containing SIG resource records (RR). This buffer
    overflow can be exploited to obtain access to the victim
    host under the account the named process is running
    with, usually root.
  - CAN-2002-1220: BIND 8 versions 8.3.x through 8.3.3
    allows a remote attacker to cause a denial of service
    (termination due to assertion failure) via a request for
    a subdomain that does not exist, with an OPT resource
    record with a large UDP payload size.

  - CAN-2002-1221: BIND 8 versions 8.x through 8.3.3 allows
    a remote attacker to cause a denial of service (crash)
    via SIG RR elements with invalid expiry times, which are
    removed from the internal BIND database and later cause
    a null dereference.

These problems have been fixed in version 8.3.3-2.0woody1 for the
current stable distribution (woody), in version 8.2.3-0.potato.3 for
the previous stable distribution (potato) and in version 8.3.3-3 for
the unstable distribution (sid). The fixed packages for unstable will
enter the archive today."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.debian.org/security/2002/dsa-196"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the bind package immediately, update to bind9, or switch to
another DNS server implementation."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bind");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2002/11/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"2.2", prefix:"bind", reference:"8.2.3-0.potato.3")) flag++;
if (deb_check(release:"2.2", prefix:"bind-dev", reference:"8.2.3-0.potato.3")) flag++;
if (deb_check(release:"2.2", prefix:"bind-doc", reference:"8.2.3-0.potato.3")) flag++;
if (deb_check(release:"2.2", prefix:"dnsutils", reference:"8.2.3-0.potato.3")) flag++;
if (deb_check(release:"2.2", prefix:"task-dns-server", reference:"8.2.3-0.potato.3")) flag++;
if (deb_check(release:"3.0", prefix:"bind", reference:"8.3.3-2.0woody1")) flag++;
if (deb_check(release:"3.0", prefix:"bind-dev", reference:"8.3.3-2.0woody1")) flag++;
if (deb_check(release:"3.0", prefix:"bind-doc", reference:"8.3.3-2.0woody1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#

# Script audit and contributions from Carmichael Security 
#      Ian Koenig <[email protected]> (nb: this domain no longer exists)
#      Added BugtraqID and CVE
#      Updated to handle two specific types of attacks instead of just a general
#        statement of "vulnerable to DNS storm attacks".
#      


include("compat.inc");

if (description)
{
 script_id(10886);
 script_version("1.31");
 script_cvs_date("Date: 2018/06/27 18:42:25");

 script_cve_id("CVE-2002-1219", "CVE-2002-1220", "CVE-2002-1221");
 script_bugtraq_id(6159, 6160, 6161);
 script_xref(name:"SuSE", value:"SUSE-SA:2002:044");
 
 script_name(english:"ISC BIND < 8.3.4 Multiple Remote Vulnerabilities");
 script_summary(english:"Checks the remote BIND version");
 
 script_set_attribute(attribute:"synopsis", value:
"It is possible to use the remote name server to break into the
remote host.");
 script_set_attribute(attribute:"description", value:
"The remote name server, according to its version number, is affected
by the following vulnerabilities :

- When running the recursive DNS functionality, this server is
vulnerable to a buffer overflow attack that may let an attacker
execute arbitrary code on the remote host. 

- It is vulnerable to a denial of service attack (crash) via SIG RR
elements with invalid expiry times. 

- It is vulnerable to a denial of service attack when a DNS lookup is
requested on a nonexistent sub-domain of a valid domain and an OPT
resource record with a large UDP payload is attached, the server may
fail.");
 script_set_attribute(attribute:"solution", value:"Upgrade to BIND 8.3.4 or newer");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"plugin_publication_date", value:"2002/03/08");
 script_set_attribute(attribute:"vuln_publication_date", value:"2002/11/12");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:isc:bind");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.");
 script_family(english: "DNS");

 script_dependencie("bind_version.nasl");
 script_require_keys("bind/version");
 exit(0);
}

vers = get_kb_item("bind/version");
if(!vers)exit(0);

if(ereg(string:vers,
	 pattern:"^8\.(([0-1].*)|(2\.[0-6])|(3\.0\.[0-3])).*"))security_hole(53);