Bugtraq mailing list archives
Re: BIND 4.9.7 named follows symlinks, clobbers anything.
From: Mark.Andrews () CMIS CSIRO AU (Mark.Andrews () CMIS CSIRO AU)
Date: Sun, 12 Apr 1998 15:27:20 +1000
[ Posted to BUGTRAQ and comp.protocols.dns.bind ] [ Standard apologies if this is already known - a search on the Bugtraq archive and Deja News comp.protocols.dns.bind doesn't indicate it.]
The standard place to report bugs in BIND is bind-bugs () vix com. The following addresses the issues below and a few others by change 4.9.7 to do what 8.1.x does, i.e. use to directory specified in named.{boot,conf} for temporaries and debug dumps. Mark *** named/ns_init.c.000 Mon Jun 2 06:34:35 1997 --- named/ns_init.c Sun Apr 12 13:12:05 1998 *************** *** 560,567 **** * We will always transfer this zone again * after a reload. */ ! sprintf(buf, "%s/NsTmp%ld.%d", _PATH_TMPDIR, ! (long)getpid(), tmpnum++); source = savestr(buf); zp->z_flags |= Z_TMP_FILE; } else --- 560,567 ---- * We will always transfer this zone again * after a reload. */ ! sprintf(buf, "NsTmp%ld.%d", (long)getpid(), ! tmpnum++); source = savestr(buf); zp->z_flags |= Z_TMP_FILE; } else *** named/ns_main.c.000 Mon Jun 2 06:34:36 1997 --- named/ns_main.c Sun Apr 12 14:51:45 1998 *************** *** 1463,1469 **** dprintf(1, (ddt, "sigprof()\n")); if (fork() == 0) { - (void) chdir(_PATH_TMPDIR); exit(1); } errno = save_errno; --- 1463,1468 ---- *** named/pathnames.h.000 Thu Dec 15 17:24:22 1994 --- named/pathnames.h Sat Apr 11 10:57:45 1998 *************** *** 74,88 **** #ifndef _PATH_XFER # define _PATH_XFER "/usr/libexec/named-xfer" #endif ! #define _PATH_DEBUG "/var/tmp/named.run" ! #define _PATH_DUMPFILE "/var/tmp/named_dump.db" #ifndef _PATH_PIDFILE # define _PATH_PIDFILE "/var/run/named.pid" #endif ! #define _PATH_STATS "/var/tmp/named.stats" ! #define _PATH_XFERTRACE "/var/tmp/xfer.trace" ! #define _PATH_XFERDDT "/var/tmp/xfer.ddt" ! #define _PATH_TMPXFER "/var/tmp/xfer.ddt.XXXXXX" #define _PATH_TMPDIR "/var/tmp" #else /* BSD */ --- 74,88 ---- #ifndef _PATH_XFER # define _PATH_XFER "/usr/libexec/named-xfer" #endif ! #define _PATH_DEBUG "named.run" ! #define _PATH_DUMPFILE "named_dump.db" #ifndef _PATH_PIDFILE # define _PATH_PIDFILE "/var/run/named.pid" #endif ! #define _PATH_STATS "named.stats" ! #define _PATH_XFERTRACE "xfer.trace" ! #define _PATH_XFERDDT "xfer.ddt" ! #define _PATH_TMPXFER "xfer.ddt.XXXXXX" #define _PATH_TMPDIR "/var/tmp" #else /* BSD */ *************** *** 92,106 **** #ifndef _PATH_XFER # define _PATH_XFER "/etc/named-xfer" #endif ! #define _PATH_DEBUG "/usr/tmp/named.run" ! #define _PATH_DUMPFILE "/usr/tmp/named_dump.db" #ifndef _PATH_PIDFILE # define _PATH_PIDFILE "/etc/named.pid" #endif ! #define _PATH_STATS "/usr/tmp/named.stats" ! #define _PATH_XFERTRACE "/usr/tmp/xfer.trace" ! #define _PATH_XFERDDT "/usr/tmp/xfer.ddt" ! #define _PATH_TMPXFER "/usr/tmp/xfer.ddt.XXXXXX" #define _PATH_TMPDIR "/usr/tmp" #endif /* BSD */ --- 92,106 ---- #ifndef _PATH_XFER # define _PATH_XFER "/etc/named-xfer" #endif ! #define _PATH_DEBUG "named.run" ! #define _PATH_DUMPFILE "named_dump.db" #ifndef _PATH_PIDFILE # define _PATH_PIDFILE "/etc/named.pid" #endif ! #define _PATH_STATS "named.stats" ! #define _PATH_XFERTRACE "xfer.trace" ! #define _PATH_XFERDDT "xfer.ddt" ! #define _PATH_TMPXFER "xfer.ddt.XXXXXX" #define _PATH_TMPDIR "/usr/tmp" #endif /* BSD */
The new named(8) happily follows symlinks and clobbers any file on the system when it receives a SIGINT. (Used for debugging and statistics gathering) SIGINT dumps the named database to /var/tmp/named_dump.db It will also happily append data to any system file when it receives a SIGIOT. SIGIOT appends named statistics to /var/tmp/named.stats. This problem is probably recursive to previous versions of named but since I've already replaced mine I can't confirm that. On Wed, 8 Apr 1998, Aleph One wrote: [Snippage of the latest CERT](Note: the in.named(8) man page mentions that sending a SIGINT to the in.named process will dump the current data base and cache to, by default, /var/tmp/named_dump.db. Some sites may find this useful in looking for self-referential CNAMEs. Please see the in.named(8) man page for further details.)This caught my eye in that CERT advisory and after updating my BIND to the new 4.9.7 ( RedHat 4.2 Linux 2.0.30 i586 ) and reading through the named(8) man pages I ran a quick check. [root]# cp /etc/shadow /etc/junk.shadow [root]# ls -l /etc/junk.shadow -r-------- 1 root root 992 Apr 10 12:52 junk.shadow Now as a non-priv user.. [Luser]# ln -s /etc/junk.shadow /var/tmp/named_dump.db [Luser]# ln -s /etc/junk.shadow /var/tmp/named.stats [Luser]# logout (Now if ever root sends a SIGINT or SIGIOT /etc/junk.shadow is toast...) [root]# kill -SIGIOT [named.pid] [root]# ls -al /etc/junk.shadow -r-------- 1 root root 2251 Apr 10 13:00 /etc/junk.shadow [root]# less /etc/junk.shadow someusrr:[removed of course]:10311:-1:-1:-1:-1:-1:-1 nothrusr:[removed of course]:10316:-1:-1:-1:-1:-1:-1 +++ Statistics Dump +++ (892238406) Fri Apr 10 13:00:06 1998 2368 time since boot (secs) 2368 time since reset (secs) 0 Unknown query types <SNIP> The statistics dump gets appended to any file on the system. Now for the real horror - [root]# kill -SIGINT [named.pid] [root]# ls -l /etc/junk.shadow -r-------- 1 root root 5249 Apr 10 13:02 /etc/junk.shadow [root]# less /etc/junk.shadow ; Dumped at Fri Apr 10 13:02:40 1998 ;; ++zone table++ <SNIP> No trace of the original remains. Your shadow password file or anything else on the system is fried. Enjoy. -- Joe H. Technical Support General Support: support () blarg net Blarg! Online Services, Inc. Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net
-- Mark Andrews, CSIRO Mathematical and Information Sciences Locked Bag 17, North Ryde, NSW 2113, Australia. PHONE: +61 2 9325 3148 INTERNET: Mark.Andrews () cmis csiro au MOBIL: +61 41 442 9884 UUCP:....!uunet!cmis.csiro.au!mark.andrews
Current thread:
- Re: QW server hole Chris Evans (Apr 07)
- smtp overflows Jon Beaton (Apr 08)
- Re: QW server hole Mike Hardy (Apr 08)
- Official SummerCon Announcement X (Apr 08)
- Sun Security Bulletin #00167 Aleph One (Apr 08)
- CA-98.05 Multiple Vulnerabilities in BIND Aleph One (Apr 08)
- BIND 4.9.7 named follows symlinks, clobbers anything. Joe (Apr 10)
- Re: BIND 4.9.7 named follows symlinks, clobbers anything. Mark.Andrews () CMIS CSIRO AU (Apr 11)
- Re: BIND 4.9.7 named follows symlinks, clobbers anything. Paul A Vixie (Apr 11)
- BIND 4.9.7 named follows symlinks, clobbers anything. Joe (Apr 10)
- BIND 8.1.2-T3B and BIND 4.9.7-T1B (fwd) Jared Mauch (Apr 08)
- Temporary fix for remote exploit in qwsv kevingeo () CRUZIO COM (Apr 09)
- Temporary fix for remote exploit in qwsv [fix] kevingeo () CRUZIO COM (Apr 09)