Nmap Development mailing list archives
Re: Stack overflow in dns-zone-transfer.nse
From: David Fifield <david () bamsoftware com>
Date: Sat, 7 Feb 2009 21:45:04 -0700
On Fri, Feb 06, 2009 at 12:36:37PM -0700, David Fifield wrote:
We have a perfectly good DNS parser in dns.lua, so there's no reason to have a duplicate in dns-zone-transfer.nse. Does anyone want to try to fix this? The only tricky part is that the script's parser is set up to deal with the two-byte length prefix mentioned in http://seclists.org/nmap-dev/2009/q1/0316.html and dns.lua's is not. So the first step is to change responses_iter in dns-zone-transfer.nse to strip the length prefixes. After that it should be possible to drop in the dns.lua replacement.
I found and fixed another bug in the dns-zone-transfer.nse DNS parser, another good argument for no code duplication. This bug transformed all '0' characters (ASCII 48, not NUL) to '.', so the name net360.example.com would become net36..example.com. The problem was in the last line, which was probably written for an older design and not updated: return offset+1, string.gsub(strbuf.dump(record), 0, '.') The string.gsub call means to turn every 0 in the record into '.'. 0 is not a string, so this doesn't make sense, except that number to string is one of the few (only?) implicit type conversions Lua will do. So 0 is turned into '0' and the replacement happens. My best guess for what was meant is return offset+1, string.gsub(strbuf.dump(record), string.char(0), '.') which would replace NUL bytes with '.'. But the dots are already added in another part of the code, so I changed it to simply return offset+1, strbuf.dump(record) David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- DNS decoding bug in dns-zone-transfer.nse fixed David Fifield (Feb 06)
- Stack overflow in dns-zone-transfer.nse David Fifield (Feb 06)
- Re: Stack overflow in dns-zone-transfer.nse David Fifield (Feb 07)
- Re: Stack overflow in dns-zone-transfer.nse David Fifield (Feb 09)
- Re: DNS decoding bug in dns-zone-transfer.nse fixed Fyodor (Feb 06)
- Stack overflow in dns-zone-transfer.nse David Fifield (Feb 06)