Bugtraq mailing list archives
DoS attack for ircd's by oversized PTR record
From: goblin () ULTIMATE PT (Goblin)
Date: Fri, 29 Oct 1999 12:56:09 +0100
(Read, 1st - Some domains and IP's listed here where substituted by fake ones, by their owners desire, but the examples are 100% true, and realy tested) I found this "bug" while trying to make a BIG sub-domain on my name server, what i just did was on my named.conf put: A.fccn.deve.estar.enganada.este.e.que.deve.ser.o.maior.nome.de.uma.maquina.e m.portugal IN A 111.111.111.111 111.111.111.111.in-addr IN PTR A.fccn.deve.estar.enganada.este.e.que.deve.ser.o.maior.nome.de.uma.maquina.e m.portugal.xxxxxxx.pt. Changed the serial and did named.restart checked for it (if it's working or not). nslookup Default Server: ptm-1.xxxxxxx.pt Address: 111.111.111.2
111.111.111.111
Server: ptm-1.xxxxxxx.pt Address: 111.111.111.2 Name: A.fccn.deve.estar.enganada.este.e.que.deve.ser.o.maior.nome.de.uma.maquina.e m.portugal.xxxxxxxx.pt Address: 111.111.111.111 Well it was working, i now had a ip <-> name (resolving ip) So i decides to go to a Portuguese irc network (irc.ptlink.net), to my amaze the server crashed (only the ircd) when trying to resolve my ip, i tried another server and got the same result. I did some more checking and found it to be vurnerable, it was running Elite.PTlink3.3.1 a modified version of Elite ircd's. I probed arround for another ircd software and i found another network runnig u.2.9.32 (a undernet ircd) tried it and found it to be also vurlnerable. Continuing i tried it on Ptnet version PTnet1.5.39F witch is based on Dalnet's ircd's and found it to NOT be vurnerable , when i connected it tried to resolve my ip and failed, but it didnt crash, it continued the connection normaly. So let me put this on a small list of affected IRCd's. Vurnerable: Elite ircd (versions unknown) Ptlink ircd (all versions) Undernet ircd (u.2.9.32) Not vulnerable: Ptnet (versions unknow and 1.5.39F) (Note that this DoS could be applied for many other things) Any questions about this DoS in ircd's please mail me if a valid request i would be glad to help. Pedro Reis ( Goblin ) @ Portugal (irc.ptlink.net)
Current thread:
- Re: Fix for ssh-1.2.27 symlink/bind problem, (continued)
- Re: Fix for ssh-1.2.27 symlink/bind problem Phillip Vandry (Oct 06)
- Re: Fix for ssh-1.2.27 symlink/bind problem Wietse Venema (Oct 06)
- Re: Fix for ssh-1.2.27 symlink/bind problem Markus Friedl (Oct 25)
- Re: Fix for ssh-1.2.27 symlink/bind problem Wietse Venema (Oct 25)
- Re: Fix for ssh-1.2.27 symlink/bind problem Markus Friedl (Oct 26)
- Re: Fix for ssh-1.2.27 symlink/bind problem Wietse Venema (Oct 27)
- ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability Luciano Martins (Jul 29)
- Vulnerability in CMail SMTP Server Version 2.4: Remotely exploitable buffer Luciano Martins (Jul 29)
- AW: Mac OS 9 Idle Lock Bug Flothow, Sebastian (Oct 29)
- Re: Fix for ssh-1.2.27 symlink/bind problem Casper Dik (Oct 29)
- DoS attack for ircd's by oversized PTR record Goblin (Oct 29)
- Re: Fix for ssh-1.2.27 symlink/bind problem Eivind Eklund (Oct 29)
- URL Live! 1.0 WebServer UNYUN (Oct 28)
- Re: Fix for ssh-1.2.27 symlink/bind problem Markus Friedl (Oct 26)
- Re: Fix for ssh-1.2.27 symlink/bind problem Wietse Venema (Oct 26)
- Falcon Web Server Advisory (Oct 26)