Vulnerability Development mailing list archives
Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe
From: warning3 <warning3 () NSFOCUS COM>
Date: Thu, 29 Mar 2001 12:11:31 +0800
Here is another method to avoid bind die. At first shellcode will do a fork(), then child process can bind a shell at a high port or connect back to the attacker. Since the overflow almost hasn't destroy the stack(just one byte), parent process can just return. You have to set the correct value of registers %eax, %ebp, %ebx so that bind can continue its work. It is easy to do with iquery leak stack bug. ---Original Message--- From : olle <olle () NXS SE> Date : Wed, 28 Mar 2001 15:47:10 +0200
The exploit code inherits the open filedescriptor to the socket bound to port 53. It then starts a "background process" that in turn inherits the fd. It then dies. A *new* instance of BIND is started. It cannot bind port 53 since it is already bound by the socket inherited by the program started by the exploit code. Fix: make the exploit code close all open fd's before spawning another process.... Am I right or have I missed something? /olle
Regards, warning3 <warning3 () nsfocus com> http://www.nsfocus.com
Current thread:
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Pasquale Mauro Minervini (Mar 25)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Ryan Sweat (Mar 25)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe Lord Soth (Mar 28)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe Ryan Sweat (Mar 28)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIqueryprobe Lord Soth (Mar 28)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe olle (Mar 28)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe warning3 (Mar 29)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe Lord Soth (Mar 28)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Ryan Sweat (Mar 25)