Vulnerabilities > CVE-2017-3141 - Unquoted Search Path or Element vulnerability in ISC Bind
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The BIND installer on Windows uses an unquoted service path which can enable a local user to achieve privilege escalation if the host file system permissions allow this. Affects BIND 9.2.6-P2->9.2.9, 9.3.2-P1->9.3.6, 9.4.0->9.8.8, 9.9.0->9.9.10, 9.10.0->9.10.5, 9.11.0->9.11.1, 9.9.3-S1->9.9.10-S1, 9.10.5-S1.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging/Manipulating Configuration File Search Paths This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. A standard UNIX path looks similar to this If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.
Exploit-Db
| description | BIND 9.10.5 - Unquoted Service Path Privilege Escalation. CVE-2017-3141. Local exploit for Windows platform |
| file | exploits/windows/local/42121.txt |
| id | EDB-ID:42121 |
| last seen | 2017-06-05 |
| modified | 2017-06-05 |
| platform | windows |
| port | |
| published | 2017-06-05 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/42121/ |
| title | BIND 9.10.5 - Unquoted Service Path Privilege Escalation |
| type | local |
Nessus
NASL family DNS NASL id BIND9_9111_P1.NASL description According to its self-reported version number, the instance of ISC BIND running on the remote name server is 9.x.x prior to 9.9.10-P1, 9.10.x prior to 9.10.5-P1, or 9.11.x prior to 9.11.1-P1. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists when processing Response Policy Zone (RPZ) rule types. An unauthenticated, remote attacker can exploit this, via a specially crafted query, to cause an infinite loop condition that degrades the server last seen 2020-06-01 modified 2020-06-02 plugin id 100996 published 2017-06-22 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100996 title ISC BIND 9.x.x < 9.9.10-P1 / 9.10.x < 9.10.5-P1 / 9.11.x < 9.11.1-P1 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(100996); script_version("1.11"); script_cvs_date("Date: 2019/11/13"); script_cve_id("CVE-2017-3140", "CVE-2017-3141"); script_bugtraq_id(99088, 99089); script_xref(name:"EDB-ID", value:"42121"); script_name(english:"ISC BIND 9.x.x < 9.9.10-P1 / 9.10.x < 9.10.5-P1 / 9.11.x < 9.11.1-P1 Multiple Vulnerabilities"); script_summary(english:"Checks the version of BIND."); script_set_attribute(attribute:"synopsis", value: "The remote name server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the instance of ISC BIND running on the remote name server is 9.x.x prior to 9.9.10-P1, 9.10.x prior to 9.10.5-P1, or 9.11.x prior to 9.11.1-P1. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists when processing Response Policy Zone (RPZ) rule types. An unauthenticated, remote attacker can exploit this, via a specially crafted query, to cause an infinite loop condition that degrades the server's functionality. (CVE-2017-3140) - A privilege escalation vulnerability exists in the BIND installer for Windows due to using an unquoted service path. A local attacker can exploit this to gain elevated privileges provided that the host file system permissions allow this. Note that non-Windows builds and installations are not affected. (CVE-2017-3141)"); script_set_attribute(attribute:"see_also", value:"https://kb.isc.org/docs/aa-01495"); script_set_attribute(attribute:"see_also", value:"https://kb.isc.org/docs/aa-01496"); script_set_attribute(attribute:"solution", value: "Upgrade to ISC BIND version 9.9.10-P1 / 9.9.10-S2 / 9.10.5-P1 / 9.10.5-S2 / 9.11.1-P1 or later. Note that BIND 9 versions 9.9.10-S2 and 9.10.5-S2 are available exclusively for eligible ISC Support customers."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-3141"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/04"); script_set_attribute(attribute:"patch_publication_date", value:"2017/06/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/22"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:isc:bind"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"DNS"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("bind_version.nasl"); script_require_keys("bind/version", "Settings/ParanoidReport"); exit(0); } include("vcf.inc"); include("vcf_extras.inc"); vcf::bind::initialize(); app_info = vcf::get_app_info(app:"BIND", port:53, kb_ver:"bind/version", service:TRUE, proto:"UDP"); if (report_paranoia < 2) audit(AUDIT_PARANOID); # patch can be applied constraints = [ { "min_version" : "9.2.6-P2", "max_version" : "9.2.9", "fixed_version" : "9.9.10-P1" }, { "min_version" : "9.3.2-P1", "max_version" : "9.3.6", "fixed_version" : "9.9.10-P1" }, { "min_version" : "9.4.0", "max_version" : "9.8.8", "fixed_version" : "9.9.10-P1" }, { "min_version" : "9.9.3-S1", "fixed_version" : "9.9.10-S2" }, { "min_version" : "9.9.0", "max_version" : "9.9.10", "fixed_version" : "9.9.10-P1" }, { "min_version" : "9.9.10-S1", "fixed_version" : "9.9.10-S2" }, { "min_version" : "9.10.5-S1", "fixed_version" : "9.10.5-S2" }, { "min_version" : "9.10.0", "fixed_version" : "9.10.5-P1" }, { "min_version" : "9.11.0", "max_version" : "9.11.1", "fixed_version" : "9.11.1-P1" } ]; constraints = vcf::bind::filter_constraints(constraints:constraints, version:app_info.version); vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201708-01.NASL description The remote host is affected by the vulnerability described in GLSA-201708-01 (BIND: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in BIND. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could send a specially crafted DNS request to the BIND resolver resulting in a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 102531 published 2017-08-17 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102531 title GLSA-201708-01 : BIND: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201708-01. # # The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(102531); script_version("3.3"); script_cvs_date("Date: 2019/04/10 16:10:17"); script_cve_id("CVE-2016-9131", "CVE-2016-9147", "CVE-2016-9444", "CVE-2016-9778", "CVE-2017-3135", "CVE-2017-3136", "CVE-2017-3137", "CVE-2017-3138", "CVE-2017-3140", "CVE-2017-3141"); script_xref(name:"GLSA", value:"201708-01"); script_name(english:"GLSA-201708-01 : BIND: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201708-01 (BIND: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in BIND. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could send a specially crafted DNS request to the BIND resolver resulting in a Denial of Service condition. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201708-01" ); script_set_attribute( attribute:"solution", value: "All BIND users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-dns/bind-9.11.1_p1'" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:bind"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/12"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/17"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-dns/bind", unaffected:make_list("ge 9.11.1_p1"), vulnerable:make_list("lt 9.11.1_p1"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "BIND"); }
Packetstorm
| data source | https://packetstormsecurity.com/files/download/142800/BIND9-PRIVILEGE-ESCALATION.txt |
| id | PACKETSTORM:142800 |
| last seen | 2017-06-05 |
| published | 2017-06-05 |
| reporter | hyp3rlinx |
| source | https://packetstormsecurity.com/files/142800/BIND-9.10.5-Unquoted-Service-Path-Privilege-Escalation.html |
| title | BIND 9.10.5 Unquoted Service Path Privilege Escalation |