Vulnerability Development mailing list archives

Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe

From: warning3 <warning3 () NSFOCUS COM>
Date: Thu, 29 Mar 2001 12:11:31 +0800

Here is another method to avoid bind die.

At first shellcode will do a fork(),  then child process can bind a 
shell at a high port or connect back to the attacker. 
Since the overflow almost hasn't destroy the stack(just one byte),
parent process can just return. You have to set the correct value of 
registers %eax, %ebp, %ebx so that bind can continue its work. It is 
easy to do with iquery leak stack bug.



---Original Message---
From : olle <olle () NXS SE>
Date : Wed, 28 Mar 2001 15:47:10 +0200

The exploit code inherits the open filedescriptor to the
socket bound to port 53. It then starts a "background
process" that in turn inherits the fd. It then dies.

A *new* instance of BIND is started. It cannot bind port
53 since it is already bound by the socket inherited by
the program started by the exploit code.

Fix: make the exploit code close all open fd's before
spawning another process....

Am I right or have I missed something?

/olle




 
Regards,
warning3 <warning3 () nsfocus com>
http://www.nsfocus.com

Current thread:

Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Pasquale Mauro Minervini (Mar 25)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Ryan Sweat (Mar 25)
  - Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe Lord Soth (Mar 28)
    - Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe Ryan Sweat (Mar 28)
    - Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIqueryprobe Lord Soth (Mar 28)
    - Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe olle (Mar 28)
    - Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe warning3 (Mar 29)