ISC Bind 8 Transaction Signatures Buffer Overflow Vulnerability BugTraq ID: 2302 Remote: Yes Date Published: 2001-01-29 Relevant URL: http://www.securityfocus.com/bid/2302 Summary: BIND is a server program that implements the domain name service (DNS) protocol. It is in extremely wide use on the Internet. Versions 8.2 and above of BIND contain a buffer overflow that may be exploitable by remote attackers. When BIND recieves a query, it reads it into a buffer and then processes it. If the request came in via the UDP transport the query is read by the 'datagram_read()' function into the 'u.buf' buffer. This buffer is on the stack and is 512 bytes in length, the maximum amount of information that can be sent in a single UDP datagram. If the request came in via the TCP transport the query is read by the 'stream_getlen()' function into the 'sp->s_buf'. This buffer is allocated via the 'malloc()' function on the heap and is 64KB in length. When sending responses, BIND re-uses this buffer for creating the response. As BIND processes the request, it appends data to the DNS response. When it's finished it modifies the DNS header and sends the response. The length of the DNS message as well as the number of bytes that can be written are kept track of using two variables. 'msglen' is used to keep track of the amount of data in the buffer. 'buflen' is used to keep track of the amount of remaining free space in the buffer. Starting with BIND 8.2 when a transaction signature is included in the query, BIND skips normal processing of the request and attempts to verify the signature via the 'ns_find_tsig()' function. If the signature is invalid, a TSIG response is appended to the buffer while BIND assumes that 'msglen' plus 'buflen' equal the size of the buffer. As normal processing has been skipped 'msglen' plus 'buflen' are in fact almost twice the length of the buffer. Thus the TSIG record is written via ns_sign() beyond the boundaries of the buffer. This can result in the TSIG response being written partially over the executing function's stack frame or in overwriting malloc's internal variables. The TSIG response consists of fixed values, including zero-value bytes. In the case of a request received via UDP were the buffer is on the stack the attacker may gain control over some portions of the stack frame of the calling function in the 'datagram_read()' function. In the Intel IA32 architecture it may be possible to overwrite the least significant byte of the of the saved frame pointer with a zero. This would result on most instances on the saved frame pointer pointing into the area of memory with the original DNS request which is under the control of the attacker. An arbitrary address supplied by the attacker inserted within this region of memory can be referenced as a return address when the calling function returns. If this address points to shellcode, it will be executed with privileges of named. Predicting the result of the one byte overflow of the frame pointer can be made easier by using the BID 2321 vulnerability to retrieve the stack activation record of the 'datagram_read()' function. This information can be used to exactly calculate were the frame pointer will point to once it's least significant byte is overwritten with a zero value. In the case of a request received via TCP were the buffer is in the 'bss' or 'heap' region of process memory, while this is a buffer overflow, it cannot be exploited in the same way a stack overflow can be. In addition, this part of memory is not executable, therefore any shellcode must somehow be put in the stack. One way to exploit the vulnerability in this case is through corruption of malloc() structures. If an attacker can overwrite the beginning of a malloc()'ed block of memory and have it remain intact until free() is called on it, arbitrary locations in memory can be overwritten with attacker supplied-values. An attacker may, for example, overwrite a return address on the stack with a value pointing to shellcode somewhere in executable memory. When the function returns, the supplied shellcode will be executed with privileges of named (typically root). This attack against the malloc() structures only work againsts implementations of this function that maintain the linkage structures in the same memory area used to allocate memory. Implementation known vulnerable to this type of attack include the ones in the IRIX libc library, the Linux glibc library, and the Solaris libc library. AT&T WinVNC Client Buffer Overflow Vulnerability BugTraq ID: 2305 Remote: Yes Date Published: 2001-01-29 Relevant URL: http://www.securityfocus.com/bid/2305 Summary: VNC is the Virtual Network Computing package, a freely available remote administration package designed to allow access to a remote system desktop. It is distributed and maintained by AT&T. A problem with the client portion of the package could allow a remote user to execute arbitrary code. This is due to the handling of the rfbConnFailed packet sent from the server to the client during connection and authentication. This error response normally signals the client that the connection attempt has failed, at which time the client passes the contents of the packet through a logging routine for future administrative reference. However, by spoofing the version number of the server, and sending the rfbConnFailed packet with a reason string of 1024 bytes, and a reason length of greater than 1024 bytes, an overflow will occur. This overflow could be used to overwrite stack variables, including the return address, and execute arbitrary code. This problem makes it possible for a user with malicious motives to execute code on a remote system, with the privileges of the user of the WinVNC client. AT&T WinVNC Server Buffer Overflow Vulnerability BugTraq ID: 2306 Remote: Yes Date Published: 2001-01-29 Relevant URL: http://www.securityfocus.com/bid/2306 Summary: WinVNC is a freely available software package designed to give remote desktop access to servers using the client/server. It is distributed and maintained by AT&T. A problem with the WinVNC server could allow remote users to arbitrarily execute code. The problem is due to the handling of HTTP requests when a non-zero debug level has been set. HTTP requests are placed into a buffer of 1024 bytes, and when the Windows registry key DebugLevel is set to a value greater than 0, the HTTP request is logged using the method ReallyPrint(), which contains a fixed buffer of 1024 bytes. It is possible to generate a custom crafted HTTP request to the WinVNC server that will overwrite variables on the stack, including the return address. A malicious user can use this vulnerability to execute arbitrary code with privileges of the WinVNC server process, and potentially gain access to the local system. ISC Bind 4 nslookupComplain() Buffer Overflow Vulnerability BugTraq ID: 2307 Remote: Yes Date Published: 2001-01-29 Relevant URL: http://www.securityfocus.com/bid/2307 Summary: BIND is a server program that implements the domain name service protocol. It is in extremely wide use on the Internet, currently being used by most Internet DNS servers. Version 4 of BIND contains a stack overflow that may be exploitable by attackers to gain root access remotely. When BIND 4 nameservers recieve a query for a hostname, the first thing that happens is that their own zone files and caches are checked for records that match requested address/hostname. If the hostname cannot be resolved through these local means, BIND obtains the nameservers that are responsible for the host's domain. Once it has the proper NS records, BIND calls nslookup() to obtain the IP addresses of these nameservers. The nslookup() function checks each nameserver IP address for validity. If it is invalid (ie, 0.0.0.0, 255.255.255.255 or a multicast address), it calls nslookupComplain()to log the error to syslog. A buffer overflow condition exists in the nslookupComplain() function. When generating the error message, nslookupComplain() uses sprintf() to construct a null terminated string. This string is 999 bytes in length and is a local variable. If the nameserver hostname exceeds the length of the buffer size, it will be copied over nslookupComplain()'s stack variables when the string is created. Because the buffer size is so large, it may require that the attacker use more than one malicious DNS server to build a fully qualified domain name long enough to cause the overflow. As stated above, this vulnerability could be exploited to gain remote access to the host on which BIND 4 is running. By replacing the return address with an address pointing to supplied shellcode, an attacker can execute arbitrary code. It should be noted, however, that the bytes an attacker may use to carry out this attack must be characters allowed in Internet hostnames. It may not be possible to build a valid return address from these bytes. ISC Bind 4 nslookupComplain() Format String Vulnerability BugTraq ID: 2309 Remote: Yes Date Published: 2001-01-29 Relevant URL: http://www.securityfocus.com/bid/2309 Summary: BIND is a server program that implements the domain name service protocol. It is in extremely wide use on the Internet, currently being used by most Internet DNS servers. Version 4 of BIND contains a format string vulnerability that may be exploitable by attackers to gain root access remotely. When BIND 4 nameservers recieve a query for a hostname, the first thing that happens is that their own zone files and caches are checked for records that match requested address/hostname. If the hostname cannot be resolved through these local means, BIND obtains the nameservers that are responsible for the host's domain. Once it has the proper NS records, BIND calls nslookup() to obtain the IP addresses of these nameservers. The nslookup() function checks each nameserver IP address for validity. If it is invalid (ie, 0.0.0.0, 255.255.255.255 or a multicast address), it calls nslookupComplain()to log the error to syslog. A condition exists in the nslookupComplain() function that may allow a remote attacker to overwrite arbitrary locations in memory with almost arbitrary values. This is due to passing syslog() a string containing attacker-supplied input (nameserver hostname) as its format string argument. Any format specifiers that are within the hostname will be acted upon by the *printf() function used by syslog(). If an attacker utilizes certain format specifiers, arbitrary locations in memory can be overwritten. An attacker may, for example, overwrite a function return address with a value pointing to shellcode in memory. It may require that the attacker use more than one malicious DNS server to build a fully qualified domain name long enough to contain the format specifiers. It should be noted that this may not be exploitable due to restrictions on characters in domain names. ISC BIND Internal Memory Disclosure Vulnerability BugTraq ID: 2321 Remote: Yes Date Published: 2001-01-29 Relevant URL: http://www.securityfocus.com/bid/2321 Summary: BIND is a server program that implements the domain name service protocol. It is in extremely wide use on the Internet, in use by most of the DNS servers. The ISC has disclosed information about a vulnerability in BIND that may disclose memory contents to remote attackers. The vulnerability can be exploited if an attacker crafts a specially formed 'inverse query' that causes the behaviour to occur. The memory disclosed is from the program's 'stack' region of memory, which stores internal-values related to execution as well as run-time/local variables. In addition to reading such information as environment-variables or function variables from the stack, it may also be possible for the attacker to make an assessment of the run-time memory layout. This information could assist in more easily launched/successful platform/architechure and data-dependent attacks. An example of this is the single-byte buffer overflow transaction signatures vulnerability in BIND (Bugtraq ID 2302). According to COVERT Advisory 2000-01 from Network Associates, it is possible to retrieve stack frames from BIND with this vulnerability. With this information, well-written exploit code can automatically know where a return address will be read from after a saved base pointer has been modified. This hypothetical well-written exploit code can then automatically adjust the location of the replacement return address and exploit the vulnerability successfully (provided other conditions are met) on the first try. As demonstrated above, such disclosed information may provide attackers with a cleaner, more efficient means of exploiting other vulnerabilities. FreeBSD inetd wheel Group File Read Vulnerability BugTraq ID: 2324 Remote: Yes Date Published: 2001-01-29 Relevant URL: http://www.securityfocus.com/bid/2324 Summary: inetd is the superserver of internet services, included with most implementations of the UNIX Operating System. FreeBSD is a freely available, open source implementation of UNIX. A problem in the implementation of inetd as distributed with FreeBSD could allow access to restricted resources. Due to the design of the inetd package, inetd incorrectly sets group privileges on child processes, depending on the user. When an ident request is received, the identd process is started by inetd, inheriting group privileges of wheel, the root group. Upon generating a custom crafted request to the identd process, it is possible to manipulate the process into reading the first 16 bytes of any wheel readable file. This flaw makes it possible for a user with malicious motives to read the first 16 bytes of sensitive files, potentially accessing the first entry of the encrypted password file, and gaining access to or elevated privileges on the local host. FreeBSD periodic /tmp File Race Condition Vulnerability BugTraq ID: 2325 Remote: No Date Published: 2001-01-29 Relevant URL: http://www.securityfocus.com/bid/2325 Summary: FreeBSD is a freely available, open source implementation of the BSD-UNIX Operating system, maintained and distributed by the BSD Project. Periodic is a timed execution package included with recent release of the operating system. A problem in the periodic implementation could allow an attacker to append to and corrupt files with write access granted only to the superuser. When cron is executed, it normally calls periodic to execute the commands according to their timed sequence. However, when the process is spawned, files are created in the /tmp directory in an insecure manner, allowing for prediction and brute force guessing of future file names. This problem makes it possible for a local user with malicious motives to symbolicially link access restricted files and append output to them, resulting in the corruption of the file. Linux man -l Format String Vulnerability BugTraq ID: 2327 Remote: No Date Published: 2001-01-31 Relevant URL: http://www.securityfocus.com/bid/2327 Summary: man is the manual page viewing program, included in most variations of the UNIX Operating System. It is freely distributed and openly maintained. A problem with the man command may allow for the elevation of privileges. Due to the handling of format strings by the man command, it may be possible for a local user to pass format strings to the man command, which could result in the overwriting of space and variables, including the return address on the stack. man, as implemented with some distributions of the Linux operating system, is included as an SUID root binary. Therefore, it may be possible for a malicious user with local access to execute arbitrary code on the stack, and potentially gain elevated privileges, including administrative access. - Pour poster une annonce: [EMAIL PROTECTED]
