CERT® Incident Note IN-2001-03The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.
Exploitation of BIND VulnerabilitiesDate: Friday, March 30, 2001
On January 29, 2001 the CERT/CC published CERT Advisory CA-2001-02 detailing multiple vulnerabilities in multiple versions of ISC BIND nameserver software. Two of the vulnerabilities described in the advisory are now actively being exploited by the intruder community to compromise systems. In particular, these vulnerabilities are being exploited:
Multiple exploits exist for multiple operating system platforms, and we have seen several versions of packaged kits containing exploits used by intruders to automate the process of scanning for and compromising vulnerable systems. At least one known toolkit employs worm-like techniques designed to cause the attack cycle to self-initiate on a compromised host, which can result in the attack propagating across multiple hosts and networks without intruder interaction. To date, reports to the CERT/CC indicate that successful exploitation has involved hosts running Linux.
In exploitations seen by the CERT/CC, the two vulnerabilities in ISC BIND are used in conjunction with each other during a single attack to compromise a target host.
The exploits we have seen have the following traffic pattern:
attacker:port -> victim:53 TCP SYN victim:53 -> attacker:port TCP SYN ACK attacker:port -> victim:53 TCP ACK (TCP session established) attacker:port -> victim:53 UDP DNS inverse query request
The exploit opens a TCP connection to port 53 on the victim host and then sends a specially formed DNS inverse query packet to the target via UDP. The inverse query packet is an exploit of the BIND information leak vulnerability ( VU#325431) described in CERT Advisory CA-2001-02. The nameserver response may vary depending on the configuration of the nameserver and the influence of access control mechanisms. In most cases, we have seen a response in a single UDP packet back to the source indicating a format error in the inverse query.
victim:53 -> attacker:port UDP DNS inverse query format error
If the information returned in the inverse query response packet indicates that the target DNS server is not vulnerable to the TSIG exploit, the exploit process closes the TCP connection and exits. However, if the information yielded from the information leak exploit indicates a vulnerable BIND, the exploit process proceeds with the TSIG exploit. The traffic pattern looks like this:
attacker:port -> victim:53 UDP (shellcode) victim:53 -> attacker:port UDP DNS format error attacker:port -> victim:53 TCP (payload)In exploits we have seen, the shellcode is sent by the exploit using UDP, causing /bin/sh to be attached to the existing socket connection on port 53/tcp. Then, the exploit sends shell commands on 53/tcp for execution on the compromised host as the user running the nameserver process.
Examples of two specific toolkits employing this type of exploit are discussed below. Note, intruder toolkits often change over time, so exact composition and attack sequences may vary from these descriptions.
A small number of incidents reported to the CERT/CC since mid February of 2001 have involved the use of a toolkit called 'erkms'. However, the incidents have in total involved more than 10,000 hosts.
The attack portion of 'erkms' uses the following tools:
A growing number of incidents reported to the CERT/CC since mid February of 2001 have involved the use of a toolkit called '1i0n', or 'lion'. Multiple versions of '1i0n' are known to exist, but in all versions we have seen the same attack profile described above used to exploit vulnerabilities in victim hosts.
All known versions of '1i0n' seem to perform the following similar actions via automated scripts to locate and attack victim hosts.
The attack cycle continues through the entire /16 network block, at which point a new /16 network block is randomly selected and the attack cycle begins again.
The payload of the exploit code retrieves a copy of the '1i0n' toolkit and installs it on the compromised victim host. At that point, a new attack cycle is initiated on the victim host without any intruder intervention. The source of the '1i0n' toolkit installed on a compromised host and the composition of that toolkit may vary significantly between versions. Some examples of what we have seen include:
More information about '1i0n' has been published by The SANS Institute.
Intruders are using automated and self-replicating toolkits to exploit known vulnerabilities in ISC BIND. Exploit code is in wide public circulation.
Systems running vulnerable versions of ISC BIND are at risk for being compromised on a widespread basis. Compromised hosts are at high risk for being used to attack other Internet sites, having system binaries and configuration files altered, and having sensitive information exposed to external parties.
The CERT/CC encourages all Internet sites to review CERT Advisory CA-2001-02 and insure workarounds or patches have been applied on all affected hosts on your network.
As a good security practice, access to nameservers on TCP port 53 should be restricted to trusted sources only using nameserver configuration options, host-based access control lists, and/or network-based access control through packet filtering.
If you believe a host under your control has been compromised, you may wish to refer to
Author(s): Kevin Houle, George Weaver, Ian Finlay
This document is available from: http://www.cert.org/incident_notes/IN-2001-03.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 2001 Carnegie Mellon University.