RE: [cobalt-users] BIND vulnerability

[Graeme Fowler <Graeme.F@xxxxxxxxxxxxxxx>]

Jeff Lasman wrote in response to Dom Latter
> Unfortunately not true, Dom.
> 
> The vulnerability that gives root access is already in bind.
> 
> Once the machine is compromised, there are plenty of perl 
> scripts which the cracker (actually the root kit used by the 
> script-kiddies) will use to do what s/he wants.

Sorry to take you to task over this, Jeff, but Dom is exactly right. The
*vulnerability* is there, sure, but all it gives you is the opportunity
to run arbitrary code on the machine (where code in this case means CPU
specific code) which may then give you remote access. What you do with
that remote access (run a shell bound to a port, shutdown the machine,
remove the zone files, whatever) is entirely dependent on the *exploit*
code rather than the vulnerability itself.
It's like the difference between leaving your back door open and finding
your neighbour's noticed it, compared to leaving your back door open and
finding someone's been in and pinched your microwave.

In my experience (sadly rather more than I would like...) the actual
code to give you root access is not only CPU specific but also OS
specific - shellcode for a BSD system won't work on Linux, Solaris et
al. The Linux shellcode won't work on the others (usually).

In the case of this BIND vulnerability, at the moment it's just that - a
vulnerability, a hole. There is no reported (yet!) exploit in-the-wild
which will actually result in a compromise of a machine, because the
discoverers of the vulnerability chose not to release them. By releasing
the details however it's only a matter of time before someone comes
along with an exploit.

As soon as an update is available with which you're comfortable, install
it.

Graeme