Bugtraq mailing list archives

Re: BIND 4.9.7 named follows symlinks, clobbers anything.

From: Mark.Andrews () CMIS CSIRO AU (Mark.Andrews () CMIS CSIRO AU)
Date: Sun, 12 Apr 1998 15:27:20 +1000

[ Posted to BUGTRAQ and comp.protocols.dns.bind ]
[ Standard apologies if this is already known - a search on the Bugtraq
  archive and Deja News comp.protocols.dns.bind doesn't indicate it.]


        The standard place to report bugs in BIND is bind-bugs () vix com.

        The following addresses the issues below and a few others by
        change 4.9.7 to do what 8.1.x does, i.e. use to directory
        specified in named.{boot,conf} for temporaries and debug dumps.

        Mark

*** named/ns_init.c.000 Mon Jun  2 06:34:35 1997
--- named/ns_init.c     Sun Apr 12 13:12:05 1998
***************
*** 560,567 ****
                                 * We will always transfer this zone again
                                 * after a reload.
                                 */
!                               sprintf(buf, "%s/NsTmp%ld.%d", _PATH_TMPDIR,
!                                       (long)getpid(), tmpnum++);
                                source = savestr(buf);
                                zp->z_flags |= Z_TMP_FILE;
                        } else
--- 560,567 ----
                                 * We will always transfer this zone again
                                 * after a reload.
                                 */
!                               sprintf(buf, "NsTmp%ld.%d", (long)getpid(),
!                                       tmpnum++);
                                source = savestr(buf);
                                zp->z_flags |= Z_TMP_FILE;
                        } else
*** named/ns_main.c.000 Mon Jun  2 06:34:36 1997
--- named/ns_main.c     Sun Apr 12 14:51:45 1998
***************
*** 1463,1469 ****
        dprintf(1, (ddt, "sigprof()\n"));
        if (fork() == 0)
        {
-               (void) chdir(_PATH_TMPDIR);
                exit(1);
        }
        errno = save_errno;
--- 1463,1468 ----
*** named/pathnames.h.000       Thu Dec 15 17:24:22 1994
--- named/pathnames.h   Sat Apr 11 10:57:45 1998
***************
*** 74,88 ****
  #ifndef _PATH_XFER
  # define _PATH_XFER   "/usr/libexec/named-xfer"
  #endif
! #define       _PATH_DEBUG     "/var/tmp/named.run"
! #define       _PATH_DUMPFILE  "/var/tmp/named_dump.db"
  #ifndef _PATH_PIDFILE
  # define _PATH_PIDFILE        "/var/run/named.pid"
  #endif
! #define       _PATH_STATS     "/var/tmp/named.stats"
! #define       _PATH_XFERTRACE "/var/tmp/xfer.trace"
! #define _PATH_XFERDDT "/var/tmp/xfer.ddt"
! #define       _PATH_TMPXFER   "/var/tmp/xfer.ddt.XXXXXX"
  #define       _PATH_TMPDIR    "/var/tmp"

  #else /* BSD */
--- 74,88 ----
  #ifndef _PATH_XFER
  # define _PATH_XFER   "/usr/libexec/named-xfer"
  #endif
! #define       _PATH_DEBUG     "named.run"
! #define       _PATH_DUMPFILE  "named_dump.db"
  #ifndef _PATH_PIDFILE
  # define _PATH_PIDFILE        "/var/run/named.pid"
  #endif
! #define       _PATH_STATS     "named.stats"
! #define       _PATH_XFERTRACE "xfer.trace"
! #define _PATH_XFERDDT "xfer.ddt"
! #define       _PATH_TMPXFER   "xfer.ddt.XXXXXX"
  #define       _PATH_TMPDIR    "/var/tmp"

  #else /* BSD */
***************
*** 92,106 ****
  #ifndef _PATH_XFER
  # define _PATH_XFER   "/etc/named-xfer"
  #endif
! #define       _PATH_DEBUG     "/usr/tmp/named.run"
! #define       _PATH_DUMPFILE  "/usr/tmp/named_dump.db"
  #ifndef _PATH_PIDFILE
  # define _PATH_PIDFILE        "/etc/named.pid"
  #endif
! #define       _PATH_STATS     "/usr/tmp/named.stats"
! #define       _PATH_XFERTRACE "/usr/tmp/xfer.trace"
! #define _PATH_XFERDDT "/usr/tmp/xfer.ddt"
! #define       _PATH_TMPXFER   "/usr/tmp/xfer.ddt.XXXXXX"
  #define       _PATH_TMPDIR    "/usr/tmp"
  #endif /* BSD */

--- 92,106 ----
  #ifndef _PATH_XFER
  # define _PATH_XFER   "/etc/named-xfer"
  #endif
! #define       _PATH_DEBUG     "named.run"
! #define       _PATH_DUMPFILE  "named_dump.db"
  #ifndef _PATH_PIDFILE
  # define _PATH_PIDFILE        "/etc/named.pid"
  #endif
! #define       _PATH_STATS     "named.stats"
! #define       _PATH_XFERTRACE "xfer.trace"
! #define _PATH_XFERDDT "xfer.ddt"
! #define       _PATH_TMPXFER   "xfer.ddt.XXXXXX"
  #define       _PATH_TMPDIR    "/usr/tmp"
  #endif /* BSD */


The new named(8) happily follows symlinks and clobbers any file on the
system when it receives a SIGINT. (Used for debugging and statistics
gathering) SIGINT dumps the named database to /var/tmp/named_dump.db

It will also happily append data to any system file when it receives a
SIGIOT. SIGIOT appends named statistics to /var/tmp/named.stats.

This problem is probably recursive to previous versions of named but since
I've already replaced mine I can't confirm that.

On Wed, 8 Apr 1998, Aleph One wrote:

[Snippage of the latest CERT]

     (Note: the in.named(8) man page mentions that sending a SIGINT to the
     in.named process will dump the current data base and cache to, by
     default, /var/tmp/named_dump.db. Some sites may find this useful in
     looking for self-referential CNAMEs.  Please see the in.named(8) man
     page for further details.)



This caught my eye in that CERT advisory and after updating my BIND to the
new 4.9.7 ( RedHat 4.2 Linux 2.0.30 i586 ) and reading through the
named(8) man pages I ran a quick check.

[root]# cp /etc/shadow /etc/junk.shadow
[root]# ls -l /etc/junk.shadow
-r--------   1 root     root          992 Apr 10 12:52 junk.shadow

Now as a non-priv user..

[Luser]# ln -s /etc/junk.shadow /var/tmp/named_dump.db
[Luser]# ln -s /etc/junk.shadow /var/tmp/named.stats
[Luser]# logout

(Now if ever root sends a SIGINT or SIGIOT /etc/junk.shadow is toast...)

[root]# kill -SIGIOT [named.pid]

[root]# ls -al /etc/junk.shadow
-r--------   1 root     root         2251 Apr 10 13:00 /etc/junk.shadow

[root]# less /etc/junk.shadow

        someusrr:[removed of course]:10311:-1:-1:-1:-1:-1:-1
        nothrusr:[removed of course]:10316:-1:-1:-1:-1:-1:-1
        +++ Statistics Dump +++ (892238406) Fri Apr 10 13:00:06 1998
        2368    time since boot (secs)
        2368    time since reset (secs)
        0       Unknown query types
<SNIP>

The statistics dump gets appended to any file on the system.

Now for the real horror -

[root]# kill -SIGINT [named.pid]
[root]# ls -l /etc/junk.shadow
-r--------   1 root     root         5249 Apr 10 13:02 /etc/junk.shadow
[root]# less /etc/junk.shadow

        ; Dumped at Fri Apr 10 13:02:40 1998
        ;; ++zone table++
        <SNIP>

No trace of the original remains. Your shadow password file or anything
else on the system is fried.

Enjoy.


--
Joe H.                                  Technical Support
General Support:  support () blarg net     Blarg! Online Services, Inc.
Voice:  425/401-9821 or 888/66-BLARG    http://www.blarg.net

--
Mark Andrews, CSIRO Mathematical and Information Sciences
Locked Bag 17, North Ryde, NSW 2113, Australia.
PHONE: +61 2 9325 3148                 INTERNET: Mark.Andrews () cmis csiro au
MOBIL: +61 41 442 9884           UUCP:....!uunet!cmis.csiro.au!mark.andrews

Current thread:

Re: QW server hole Chris Evans (Apr 07)
- smtp overflows Jon Beaton (Apr 08)
- Re: QW server hole Mike Hardy (Apr 08)
- Official SummerCon Announcement X (Apr 08)
- Sun Security Bulletin #00167 Aleph One (Apr 08)
- CA-98.05 Multiple Vulnerabilities in BIND Aleph One (Apr 08)
  - BIND 4.9.7 named follows symlinks, clobbers anything. Joe (Apr 10)
    - Re: BIND 4.9.7 named follows symlinks, clobbers anything. Mark.Andrews () CMIS CSIRO AU (Apr 11)
    - Re: BIND 4.9.7 named follows symlinks, clobbers anything. Paul A Vixie (Apr 11)
- BIND 8.1.2-T3B and BIND 4.9.7-T1B (fwd) Jared Mauch (Apr 08)
- Temporary fix for remote exploit in qwsv kevingeo () CRUZIO COM (Apr 09)
- Temporary fix for remote exploit in qwsv [fix] kevingeo () CRUZIO COM (Apr 09)