[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030413160035.GA12194@c9x.org>
Date: Sun, 13 Apr 2003 18:00:13 +0200
From: Jedi/Sector One <j@...eftpd.org>
To: bugtraq@...urityfocus.com
Subject: Multiple vulnerabilities in SheerDNS
Date : 04/13/2003
Product : SheerDNS
Author : Frank Denis <j@...eftpd.org>
------------------------[ Product description ]------------------------
SheerDNS was written to be a simple replacement master DNS server that can
be used where atomic updates are required. Because it stores each record in
a small file, updating records does not require the sheerdns process to be
notified or restarted. Each update is immediately available and served as-is.
SheerDNS is extremely light-weight, simple, and fast, and written with
security in mind.
Home page : http://threading.2038bug.com/sheerdns/
------------------------[ Vulnerabilities ]------------------------
Two main vulnerabilities were found in SheerDNS 1.0.0 .
* Buffer overflow in CNAME handling.
There's buffer overflow in the way SheerDNS constructs a reply when
answering a CNAME request. See line 385 of sheerdns.c :
strcpy ((char *) query, lookup_results[0]);
query is a 256 bytes buffer on the stack, while lookup_results[0] can be
up to 1024 bytes (see dir.c) .
Lookup results are read from local files, hopefully created by trusted
processes. However, a second vulnerability can break this.
* Directory traversal in directory_lookup().
The point in SheerDNS is that data is directly served from files. Thus, a
request for the <type> record of the <zone> zone results in reading a file
whoose location is :
/var/sheerdns/<zone>/<type>
However, SheerDNS 1.0.0 doesn't sanitize the requested zone.
Using a specially crafted DNS request, an arbitrary directory can be read,
moreover SheerDNS needs root privileges and doesn't chroot.
The attached proof-of-concept makes it read the /tmp/passwd/ directory.
* If an untrusted user can create files with arbitrary names on a server
running SheerDNS, both vulnerabilities can be combined. SheerDNS can be
forced to read any untrusted file whoose name is "CNAME" and whoose content
will trigger the query[] buffer overflow.
------------------------[ Affected versions ]------------------------
Both vulnerabilities have been confirmed on SheerDNS 1.0.0 .
------------------------[ Vendor status and fixes ]------------------------
SheerDNS author Paul Sheer addressed these vulnerabilities the day they
were reported, among with some other problems.
SheerDNS 1.0.1 is now available for download from the project's main site.
--
__ /*- Frank DENIS (Jedi/Sector One) <j@...Networks.Com> -*\ __
\ '/ <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a> \' /
\/ <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a> \/
View attachment "dnsfake.c" of type "text/plain" (3240 bytes)
Powered by blists - more mailing lists