Multiple vulnerabilities in SheerDNS

From: Jedi/Sector One (jat_private)
Date: Sun Apr 13 2003 - 09:00:13 PDT

Next message: Aviram Jenik: "Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy Breach"

Previous message: bugzillaat_private: "[Full-Disclosure] [RHSA-2003:126-01] Updated gtkhtml packages fix vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date    : 04/13/2003
Product : SheerDNS
Author  : Frank Denis <jat_private>


   ------------------------[ Product description ]------------------------
     
  SheerDNS was written to be a simple replacement master DNS server that can
be used where atomic updates are required. Because it stores each record in
a small file, updating records does not require the sheerdns process to be
notified or restarted. Each update is immediately available and served as-is. 

  SheerDNS is extremely light-weight, simple, and fast, and written with
security in mind. 

  Home page : http://threading.2038bug.com/sheerdns/


     ------------------------[ Vulnerabilities ]------------------------
  
  Two main vulnerabilities were found in SheerDNS 1.0.0 .
  
 * Buffer overflow in CNAME handling.
 
  There's buffer overflow in the way SheerDNS constructs a reply when
answering a CNAME request. See line 385 of sheerdns.c :

  strcpy ((char *) query, lookup_results[0]);

  query is a 256 bytes buffer on the stack, while lookup_results[0] can be
up to 1024 bytes (see dir.c) .

  Lookup results are read from local files, hopefully created by trusted
processes. However, a second vulnerability can break this.

 * Directory traversal in directory_lookup().
 
  The point in SheerDNS is that data is directly served from files. Thus, a
request for the <type> record of the <zone> zone results in reading a file
whoose location is :

  /var/sheerdns/<zone>/<type>
  
  However, SheerDNS 1.0.0 doesn't sanitize the requested zone.
  
  Using a specially crafted DNS request, an arbitrary directory can be read,
moreover SheerDNS needs root privileges and doesn't chroot.

  The attached proof-of-concept makes it read the /tmp/passwd/ directory.
  
 * If an untrusted user can create files with arbitrary names on a server
running SheerDNS, both vulnerabilities can be combined. SheerDNS can be
forced to read any untrusted file whoose name is "CNAME" and whoose content
will trigger the query[] buffer overflow.


    ------------------------[ Affected versions ]------------------------
    
  Both vulnerabilities have been confirmed on SheerDNS 1.0.0 .
  
  
 ------------------------[ Vendor status and fixes ]------------------------
      
  SheerDNS author Paul Sheer addressed these vulnerabilities the day they
were reported, among with some other problems.

  SheerDNS 1.0.1 is now available for download from the project's main site.
  
  
-- 
 __  /*-      Frank DENIS (Jedi/Sector One) <j@42-Networks.Com>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a>  \/

text/plain attachment: dnsfake.c

Next message: Aviram Jenik: "Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy Breach"
Previous message: bugzillaat_private: "[Full-Disclosure] [RHSA-2003:126-01] Updated gtkhtml packages fix vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 14 2003 - 09:20:44 PDT