Bugtraq mailing list archives
Re: buffer overflow in nslookup?
From: admin () fallin devoid net (www.devoid.net)
Date: Sun, 30 Aug 1998 18:47:18 -0700
my last mail didn't go out so this time i wont go through all the examples because i do not have the time. none of these buffer overruns core my nslookup ( bind-8.1.2 ) i am running a duel processor x86, pentium classic, and Cyril not that the CPA matters.. where did the nslookup in these examples origionate ? On 30-Aug-98 Brandon Reynolds wrote:
On Sat, 29 Aug 1998, Peter van Dijk wrote:*** zopie.attic.vuurwerk.nl can't find AA....AAA: Unspecified error Segmentation fault (core dumped) [peter@koek] ~$ nslookup `perl -e 'print "A" x 1000;'` Server: zopie.attic.vuurwerk.nl Address: 10.10.13.1 Segmentation fault (core dumped) At first, this does not seem a problem: nslookup is not suid root or anything. But several sites have cgi-scripts that call nslookup... tests show that these will coredump when passed enough characters. Looks exploitable to me...The offending line is line 684 in main.c: sscanf(string, " %s", host); /* removes white space */ It could easily remedied by inserting something like this before it. if(strlen(string) > NAME_LEN) { fprintf(stderr,"host name too long.\n"); exit(1); } The code seems to be littered with sscanf's, but I guess the command line is probably the only critical concern since it's not suid. Brandon Reynolds bmr () math uakron edu The University of Akron (330) 972-6776 fax (330) 374-8630 Mathematical Sciences http://www.math.uakron.edu/~bmr/
-------------------------- E-Mail: admin () devoid net Date: 30-Aug-98 Time: 18:42:45 www.devoid.net --------------------------
Current thread:
- Re: buffer overflow in nslookup?, (continued)
- Re: buffer overflow in nslookup? Brandon Reynolds (Aug 29)
- Re: buffer overflow in nslookup? Peter van Dijk (Aug 30)
- FreeBSD's RST validation Tristan Horn (Aug 30)
- Re: FreeBSD's RST validation James Snow (Aug 30)
- Re: FreeBSD's RST validation Tristan Horn (Aug 30)
- port scanning. (fwd) Darren Reed (Aug 31)
- Re: FreeBSD's RST validation Andrey Alekseyev (Aug 31)
- Re: FreeBSD's RST validation Diane Bruce (Aug 30)
- Re: FreeBSD's RST validation Oliver Friedrichs (Aug 31)
- SEYON vulnerability in TurboLinux 2.0 Scott Stone (Aug 30)
- Re: buffer overflow in nslookup? www.devoid.net (Aug 30)
- Re: buffer overflow in nslookup? Benjamin J Stassart (Aug 30)
- Re: buffer overflow in nslookup? Theo de Raadt (Aug 31)
- Re: buffer overflow in nslookup? Uwe Ohse (Aug 31)
- Hole in Oracle Server/Developer 2000 - authentication protocol. Yaron Yanay (Aug 31)
- Re: buffer overflow in nslookup? Willy TARREAU (Aug 31)