The response_addname function in response.c in Daniel J. Bernstein djbdns 1.05 and earlier does not constrain offsets in the required manner, which allows remote attackers, with control over a third-party subdomain served by tinydns and axfrdns, to trigger DNS responses containing arbitrary records via crafted zone data for this subdomain.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
| Link | Tags |
|---|---|
| http://secunia.com/advisories/35820 | third party advisory |
| http://www.securityfocus.com/archive/1/501340/100/0/threaded | mailing list |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/49003 | vdb entry |
| http://www.securityfocus.com/archive/1/501479/100/0/threaded | mailing list |
| http://securityandthe.net/2009/03/05/security-issue-in-djbdns-confirmed/ | patch |
| http://www.debian.org/security/2009/dsa-1831 | vendor advisory |
| http://marc.info/?l=djbdns&m=123613000920446&w=2 | mailing list |
| http://www.securityfocus.com/bid/33937 | vdb entry exploit |
| http://www.securityfocus.com/archive/1/501294/100/0/threaded | mailing list |
| http://marc.info/?l=djbdns&m=123554945710038 | mailing list |
| http://it.slashdot.org/article.pl?sid=09/03/05/2014249 |