安全研究
安全漏洞
BIND 8.2.3 pid文件属性问题
发布日期:2001-09-08
更新日期:2001-09-11
受影响系统:
描述:
ISC BIND 8.2.3
ISC BIND 9
ISC BIND是一个流行的UNIX系统下的域名服务器软件。
ISC BIND 8.2.3中引入了一些不安全的fchown()调用,使得named产生的pid文件可被named
运行时的用户写入。出于安全原因,人们通常让named以普通用户身份运行,因此,如果
攻击者已经获得了named运行时的用户权限,它就可以修改pid文件的内容。当root用户使
用这个pid文件来关闭或者重启named服务时,就可能杀死任意进程。这可能造成本地系统
拒绝服务漏洞。
ISC BIND 9也存在类似的问题。
<*来源:Greg A. Woods (woods@weird.com)
链接:http://archives.neohapsis.com/archives/bugtraq/2001-09/0063.html
*>
建议:
临时解决方法:
Greg A. Woods (woods@weird.com)提供了他写的一些补丁:
Index: src/bin/named/ns_config.c
===================================================================
RCS file: /cvs/misc/bind8/src/bin/named/ns_config.c,v
retrieving revision 1.1.1.5
diff -c -r1.1.1.5 ns_config.c
*** src/bin/named/ns_config.c 31 Jan 2001 21:03:33 -0000 1.1.1.5
--- src/bin/named/ns_config.c 8 Sep 2001 03:40:31 -0000
***************
*** 1454,1460 ****
--- 1454,1462 ----
S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
if (fd < 0)
return (NULL);
+ #if 0 /* ARGH!!!! Making the pid file writable by user_id is a major security hole!!!! */
(void) fchown(fd, user_id, group_id);
+ #endif
stream = fdopen(fd, "w");
if (stream == NULL)
(void)close(fd);
Index: src/bin/named/ns_main.c
===================================================================
RCS file: /cvs/misc/bind8/src/bin/named/ns_main.c,v
retrieving revision 1.1.1.5
diff -c -r1.1.1.5 ns_main.c
*** src/bin/named/ns_main.c 31 Jan 2001 21:03:37 -0000 1.1.1.5
--- src/bin/named/ns_main.c 8 Sep 2001 03:29:07 -0000
***************
*** 621,627 ****
--- 621,629 ----
return;
case EBADF:
case ENOTSOCK:
+ #if 1 /* Note I didn't have this one listed for some reason.... -GAW */
case EFAULT:
+ #endif
/*
* If one these happens, we're broken.
*/
Index: src/bin/named/ns_maint.c
===================================================================
RCS file: /cvs/misc/bind8/src/bin/named/ns_maint.c,v
retrieving revision 1.1.1.4
diff -c -r1.1.1.4 ns_maint.c
*** src/bin/named/ns_maint.c 31 Jan 2001 21:03:37 -0000 1.1.1.4
--- src/bin/named/ns_maint.c 8 Sep 2001 18:30:52 -0000
***************
*** 667,673 ****
--- 667,675 ----
name);
return(-1);
}
+ #if 0 /* ARGH!!! this one's totally unnecessary given the file is guaranteed brand new!!! */
(void) fchown(tsig_fd, user_id, group_id);
+ #endif
}
memset(secret_buf, 0, sizeof(secret_buf));
Index: src/bin/named/ns_stats.c
===================================================================
RCS file: /cvs/misc/bind8/src/bin/named/ns_stats.c,v
retrieving revision 1.1.1.4
diff -c -r1.1.1.4 ns_stats.c
*** src/bin/named/ns_stats.c 31 Jan 2001 21:03:41 -0000 1.1.1.4
--- src/bin/named/ns_stats.c 8 Sep 2001 03:49:45 -0000
***************
*** 122,128 ****
--- 122,130 ----
server_options->stats_filename);
}
if (f != NULL) {
+ #if 0 /* ARGH!!!! */
(void) fchown(fileno(f), user_id, group_id);
+ #endif
fprintf(f, "+++ Host Statistics Cleared +++ (%ld) %s",
(long)timenow, checked_ctime(&timenow));
(void) my_fclose(f);
***************
*** 143,149 ****
--- 145,153 ----
server_options->stats_filename);
return;
}
+ #if 0 /* ARGH!!!! */
(void) fchown(fileno(f), user_id, group_id);
+ #endif
fprintf(f, "+++ Statistics Dump +++ (%ld) %s",
(long)timenow, checked_ctime(&timenow));
***************
*** 170,176 ****
--- 174,182 ----
server_options->memstats_filename);
return;
}
+ #if 0 /* ARGH!!!! */
(void) fchown(fileno(f), user_id, group_id);
+ #endif
fprintf(f, "+++ Memory Statistics Dump +++ (%ld) %s",
(long)timenow, checked_ctime(&timenow));
Index: src/bin/named/ns_update.c
===================================================================
RCS file: /cvs/misc/bind8/src/bin/named/ns_update.c,v
retrieving revision 1.1.1.4
diff -c -r1.1.1.4 ns_update.c
*** src/bin/named/ns_update.c 31 Jan 2001 21:03:41 -0000 1.1.1.4
--- src/bin/named/ns_update.c 8 Sep 2001 03:50:10 -0000
***************
*** 145,151 ****
--- 145,153 ----
strerror(errno));
return (NULL);
}
+ #if 0 /* ARGH!!!! */
(void) fchown(fileno(fp), user_id, group_id);
+ #endif
if (fseek(fp, 0L, SEEK_END) != 0) {
ns_error(ns_log_update, "can't fseek(%s, 0, SEEK_END)",
zp->z_updatelog);
***************
*** 170,176 ****
--- 172,180 ----
strerror(errno));
return (NULL);
}
+ #if 0 /* ARGH!!!! */
(void) fchown(fileno(fp), user_id, group_id);
+ #endif
if (fseek(fp, 0L, SEEK_END) != 0) {
ns_error(ns_log_update, "can't fseek(%s, 0, SEEK_END)",
zp->z_ixfr_base);
Index: src/lib/isc/logging.c
===================================================================
RCS file: /cvs/misc/bind8/src/lib/isc/logging.c,v
retrieving revision 1.1.1.4
diff -c -r1.1.1.4 logging.c
*** src/lib/isc/logging.c 31 Jan 2001 21:04:45 -0000 1.1.1.4
--- src/lib/isc/logging.c 8 Sep 2001 18:32:45 -0000
***************
*** 156,162 ****
--- 156,164 ----
chan->flags |= LOG_CHANNEL_BROKEN;
return (NULL);
}
+ #if 0 /* ARGH!!! Don't leave the audit trail writable by the attacker!!! */
(void) fchown(fd, chan->out.file.owner, chan->out.file.group);
+ #endif
chan->out.file.stream = stream;
return (stream);
厂商补丁:
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商
的主页以获取最新版本:
www.isc.org/products/BIND/
浏览次数:3946
严重程度:0(网友投票)
绿盟科技给您安全的保障