Bugtraq mailing list archives
buffer overflow in nslookup?
From: peter () ATTIC VUURWERK NL (Peter van Dijk)
Date: Sat, 29 Aug 1998 16:36:02 +0200
[peter@koek] ~$ nslookup `perl -e 'print "A" x 100;'` Server: zopie.attic.vuurwerk.nl Address: 10.10.13.1 *** zopie.attic.vuurwerk.nl can't find AAA.....AAA: Unspecified error [peter@koek] ~$ nslookup `perl -e 'print "A" x 300;'` Server: zopie.attic.vuurwerk.nl Address: 10.10.13.1 *** zopie.attic.vuurwerk.nl can't find AA....AAA: Unspecified error Segmentation fault (core dumped) [peter@koek] ~$ nslookup `perl -e 'print "A" x 1000;'` Server: zopie.attic.vuurwerk.nl Address: 10.10.13.1 Segmentation fault (core dumped) At first, this does not seem a problem: nslookup is not suid root or anything. But several sites have cgi-scripts that call nslookup... tests show that these will coredump when passed enough characters. Looks exploitable to me... Greetz, Peter. -- 'I guess anybody who walks away from a root shell at : Peter van Dijk a nerd party gets what they deserve!' -- BillSF :peter () attic vuurwerk nl -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- finger hardbeat () selweird ml org for my public PGP-key - --- - --- - --- - --- - --- - --- - --- - --- - --- -
Current thread:
- [paul () boehm org: [cert-advisory () cert org: CERT Summary CS-98.07]], (continued)
- [paul () boehm org: [cert-advisory () cert org: CERT Summary CS-98.07]] Paul Boehm (Aug 26)
- [djb () redhat com: Unidentified subject!] Paul Boehm (Aug 26)
- SV: Serious Security Hole in Hotmail Jonathan James (Aug 26)
- Re: Webmail.bellsouth.net security problems Joe (Aug 28)
- [SECURITY] Seyon is vulnerable to a root exploit Martin Schulze (Aug 28)
- Update on Linux unfsd Olaf Kirch (Aug 29)
- Buffer overflows in Minicom 1.80.1 Eduardo Navarro (Aug 29)
- Re: Buffer overflows in Minicom 1.80.1 Alan Brown (Aug 29)
- Re: Buffer overflows in Minicom 1.80.1 M.C.Mar (Aug 31)
- Re: Buffer overflows in Minicom 1.80.1 Wichert Akkerman (Aug 31)
- buffer overflow in nslookup? Peter van Dijk (Aug 29)
- Re: buffer overflow in nslookup? Brandon Reynolds (Aug 29)
- Re: buffer overflow in nslookup? Peter van Dijk (Aug 30)
- FreeBSD's RST validation Tristan Horn (Aug 30)
- Re: FreeBSD's RST validation James Snow (Aug 30)
- Re: FreeBSD's RST validation Tristan Horn (Aug 30)
- port scanning. (fwd) Darren Reed (Aug 31)
- Re: FreeBSD's RST validation Andrey Alekseyev (Aug 31)
- Re: FreeBSD's RST validation Diane Bruce (Aug 30)
- Re: FreeBSD's RST validation Oliver Friedrichs (Aug 31)
- SEYON vulnerability in TurboLinux 2.0 Scott Stone (Aug 30)