Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe

From: olle <olle () NXS SE>
Date: Wed, 28 Mar 2001 15:47:10 +0200
On Mon, Mar 26, 2001 at 07:29:56PM -0600, Ryan Sweat wrote:

     I'm not sure of the technicalities of it, but I have seen it.  Let me
correct myself here.  When named is exploited, and a user starts a
background process while in the "exploit terminal",  after logging out port
53 will remain open and lsof shows it being owned by the corresponding
background process.  When named is attempted to restart, it will give an
error stating that the "Port is in use" and the interface gets deleted
(named ceases to listen on that port). I cannot explain this behaviour,
maybe somone else on the list has more experience.


The exploit code inherits the open filedescriptor to the
socket bound to port 53. It then starts a "background
process" that in turn inherits the fd. It then dies.

A *new* instance of BIND is started. It cannot bind port
53 since it is already bound by the socket inherited by
the program started by the exploit code.

Fix: make the exploit code close all open fd's before
spawning another process....

Am I right or have I missed something?

/olle
Previous By Date Next
Previous By Thread Next

Current thread: