Date : 04/13/2003 Product : SheerDNS Author : Frank Denis <jat_private> ------------------------[ Product description ]------------------------ SheerDNS was written to be a simple replacement master DNS server that can be used where atomic updates are required. Because it stores each record in a small file, updating records does not require the sheerdns process to be notified or restarted. Each update is immediately available and served as-is. SheerDNS is extremely light-weight, simple, and fast, and written with security in mind. Home page : http://threading.2038bug.com/sheerdns/ ------------------------[ Vulnerabilities ]------------------------ Two main vulnerabilities were found in SheerDNS 1.0.0 . * Buffer overflow in CNAME handling. There's buffer overflow in the way SheerDNS constructs a reply when answering a CNAME request. See line 385 of sheerdns.c : strcpy ((char *) query, lookup_results[0]); query is a 256 bytes buffer on the stack, while lookup_results[0] can be up to 1024 bytes (see dir.c) . Lookup results are read from local files, hopefully created by trusted processes. However, a second vulnerability can break this. * Directory traversal in directory_lookup(). The point in SheerDNS is that data is directly served from files. Thus, a request for the <type> record of the <zone> zone results in reading a file whoose location is : /var/sheerdns/<zone>/<type> However, SheerDNS 1.0.0 doesn't sanitize the requested zone. Using a specially crafted DNS request, an arbitrary directory can be read, moreover SheerDNS needs root privileges and doesn't chroot. The attached proof-of-concept makes it read the /tmp/passwd/ directory. * If an untrusted user can create files with arbitrary names on a server running SheerDNS, both vulnerabilities can be combined. SheerDNS can be forced to read any untrusted file whoose name is "CNAME" and whoose content will trigger the query[] buffer overflow. ------------------------[ Affected versions ]------------------------ Both vulnerabilities have been confirmed on SheerDNS 1.0.0 . ------------------------[ Vendor status and fixes ]------------------------ SheerDNS author Paul Sheer addressed these vulnerabilities the day they were reported, among with some other problems. SheerDNS 1.0.1 is now available for download from the project's main site. -- __ /*- Frank DENIS (Jedi/Sector One) <j@42-Networks.Com> -*\ __ \ '/ <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a> \' / \/ <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a> \/
This archive was generated by hypermail 2b30 : Mon Apr 14 2003 - 09:20:44 PDT