Vulnerability Development mailing list archives
Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe
From: olle <olle () NXS SE>
Date: Wed, 28 Mar 2001 15:47:10 +0200
On Mon, Mar 26, 2001 at 07:29:56PM -0600, Ryan Sweat wrote:
I'm not sure of the technicalities of it, but I have seen it. Let me correct myself here. When named is exploited, and a user starts a background process while in the "exploit terminal", after logging out port 53 will remain open and lsof shows it being owned by the corresponding background process. When named is attempted to restart, it will give an error stating that the "Port is in use" and the interface gets deleted (named ceases to listen on that port). I cannot explain this behaviour, maybe somone else on the list has more experience.
The exploit code inherits the open filedescriptor to the socket bound to port 53. It then starts a "background process" that in turn inherits the fd. It then dies. A *new* instance of BIND is started. It cannot bind port 53 since it is already bound by the socket inherited by the program started by the exploit code. Fix: make the exploit code close all open fd's before spawning another process.... Am I right or have I missed something? /olle
Current thread:
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Pasquale Mauro Minervini (Mar 25)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Ryan Sweat (Mar 25)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe Lord Soth (Mar 28)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe Ryan Sweat (Mar 28)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIqueryprobe Lord Soth (Mar 28)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe olle (Mar 28)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe warning3 (Mar 29)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe Lord Soth (Mar 28)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Ryan Sweat (Mar 25)