1 files changed, 46 insertions, 0 deletions
diff --git a/informationals/teso-i0010.txt b/informationals/teso-i0010.txt
new file mode 100644
index 0000000..a0703e9
--- /dev/null
+++ b/informationals/teso-i0010.txt
@@ -0,0 +1,46 @@
+0010 2000/01/30  Trick for exploiting BIND nameservers
+==== TESO Informational =======================================================
+This piece of information is to be kept confidential.
+===============================================================================
+Description ..........: Trick for exploiting BIND nameservers
+Date .................: 2000/01/30 12:00
+Author ...............: scut
+Publicity level ......: unknown
+Affected .............: networks with multiple BIND nameservers
+Type of entity .......: misconfiguration
+Type of discovery ....: useful information
+Severity/Importance ..: low
+Found by .............: scut, inspired by smilers ideas and his NXT exploit
+Information ===================================================================
+When exploiting BIND bugs it is often necessary to make the remote nameserver
+issue a query to your nameserver, which is in some cases a pseudo server which
+sends an exploiting packet back on query.
+However in some cases DNS queries aren't allowed to the remote server, although
+you know the server is vulnerable you cannot exploit this weakness, because
+you cannot make it to query your exploiting server.
+The DNS server may accept queries only from a predefined IP range, for example
+the IP range of that subnetwork. Often other DNS servers can be found in the
+subnetwork. At the same time it is often the case that these servers are
+configured to just relay the queries to another DNS server. By using a "deaf"
+pseudo-nameserver, which just responds to the IP of the nameserver you want
+to exploit (smilers NXT exploit does support this) you can now exploit that
+server by querying the other nameserver, which accepts your queries, which
+then happily relays the question to the main nameserver.
+This nameserver may not carry out the query directly if you'd answer the query
+if it is issued by another nameserver (see TESO Informational #0006), but if
+you don't answer it this nameserver will after a few seconds issue that query
+itself, allowing you to exploit it.
+Also using nameserver path discovery (also in #0006) you may be able to spoof
+send the reply in between two nameservers, which is not possible in the NXT case
+but maybe required for future exploits.
+===============================================================================

diff --git a/informationals/teso-i0010.txt b/informationals/teso-i0010.txt new file mode 100644 index 0000000..a0703e9 --- /dev/null +++ b/informationals/teso-i0010.txt
@@ -0,0 +1,46 @@
	1	0010 2000/01/30 Trick for exploiting BIND nameservers
	2
	3	==== TESO Informational =======================================================
	4	This piece of information is to be kept confidential.
	5	===============================================================================
	6
	7	Description ..........: Trick for exploiting BIND nameservers
	8	Date .................: 2000/01/30 12:00
	9	Author ...............: scut
	10	Publicity level ......: unknown
	11	Affected .............: networks with multiple BIND nameservers
	12	Type of entity .......: misconfiguration
	13	Type of discovery ....: useful information
	14	Severity/Importance ..: low
	15	Found by .............: scut, inspired by smilers ideas and his NXT exploit
	16
	17	Information ===================================================================
	18
	19	When exploiting BIND bugs it is often necessary to make the remote nameserver
	20	issue a query to your nameserver, which is in some cases a pseudo server which
	21	sends an exploiting packet back on query.
	22
	23	However in some cases DNS queries aren't allowed to the remote server, although
	24	you know the server is vulnerable you cannot exploit this weakness, because
	25	you cannot make it to query your exploiting server.
	26
	27	The DNS server may accept queries only from a predefined IP range, for example
	28	the IP range of that subnetwork. Often other DNS servers can be found in the
	29	subnetwork. At the same time it is often the case that these servers are
	30	configured to just relay the queries to another DNS server. By using a "deaf"
	31	pseudo-nameserver, which just responds to the IP of the nameserver you want
	32	to exploit (smilers NXT exploit does support this) you can now exploit that
	33	server by querying the other nameserver, which accepts your queries, which
	34	then happily relays the question to the main nameserver.
	35
	36	This nameserver may not carry out the query directly if you'd answer the query
	37	if it is issued by another nameserver (see TESO Informational #0006), but if
	38	you don't answer it this nameserver will after a few seconds issue that query
	39	itself, allowing you to exploit it.
	40
	41	Also using nameserver path discovery (also in #0006) you may be able to spoof
	42	send the reply in between two nameservers, which is not possible in the NXT case
	43	but maybe required for future exploits.
	44
	45	===============================================================================
	46