90 lines
No EOL
2.4 KiB
Text
90 lines
No EOL
2.4 KiB
Text
[+] Credits: John Page aka hyp3rlinx
|
|
[+] Website: hyp3rlinx.altervista.org
|
|
[+] Source: http://hyp3rlinx.altervista.org/advisories/BIND9-PRIVILEGE-ESCALATION.txt
|
|
[+] ISR: ApparitionSec
|
|
|
|
|
|
|
|
Vendor:
|
|
===========
|
|
www.isc.org
|
|
|
|
|
|
|
|
Product:
|
|
===========
|
|
BIND9
|
|
v9.10.5 x86 / x64
|
|
|
|
|
|
BIND is open source software that enables you to publish your Domain Name System (DNS) information on the Internet, and to resolve DNS
|
|
queries for your users. The name BIND stands for “Berkeley Internet Name Domain”, because the software originated in the early 1980s
|
|
at the University of California at Berkeley.
|
|
|
|
|
|
|
|
Vulnerability Type:
|
|
===================
|
|
Privilege Escalation
|
|
|
|
|
|
|
|
CVE Reference:
|
|
==============
|
|
CVE-2017-3141
|
|
|
|
|
|
|
|
Security Issue:
|
|
================
|
|
BIND installs as a service with an unquoted service path, to exploit a local attacker must place
|
|
a malicious executable file named "Program.exe" in the path of the service, if the process runs under
|
|
some account other than the attackers it can be used to exec code under a different set of privileges.
|
|
|
|
|
|
C:\>sc qc named
|
|
[SC] QueryServiceConfig SUCCESS
|
|
|
|
SERVICE_NAME: named
|
|
TYPE : 10 WIN32_OWN_PROCESS
|
|
START_TYPE : 2 AUTO_START
|
|
ERROR_CONTROL : 1 NORMAL
|
|
BINARY_PATH_NAME : C:\Program Files\ISC BIND 9\bin\named.exe
|
|
LOAD_ORDER_GROUP :
|
|
TAG : 0
|
|
DISPLAY_NAME : ISC BIND
|
|
DEPENDENCIES :
|
|
SERVICE_START_NAME : .\named
|
|
|
|
|
|
|
|
|
|
|
|
Network Access:
|
|
===============
|
|
Local
|
|
|
|
|
|
|
|
|
|
Severity:
|
|
=========
|
|
Medium
|
|
|
|
|
|
|
|
Disclosure Timeline:
|
|
==================================
|
|
Vendor Notification: May 13, 2017
|
|
Vendor confirm: May 14, 2017
|
|
June 4, 2017 : Public Disclosure
|
|
|
|
|
|
|
|
[+] Disclaimer
|
|
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
|
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
|
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
|
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
|
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
|
or exploits by the author or elsewhere. All content (c). |