Re: Bug, possible hole in nslookup, various operating systems

[Michal Zalewski <lcamtuf () DIONE IDS PL>]

On Sat, 16 Dec 2000, Damian Menscher wrote:

> > I found a strange behavior in the nslookup command, and was able to
> > reproduce it in several different platforms. I do not have deep knowledge
> > of the inner working of nslookup, but the message I got seemed a bit
> > suspicious, and I decided to report it before someone can find a way to
> > exploit it.
>
> nslookup has 755 permissions on all machines I've seen, so I'm not
> sure what the danger is....  You thinking of something in the kernel?

Hey, people - think. Nslookup is running in user-space (1) with no
privledges (2). Kernel has nothing to do with name lookups (3) or flex
parser (4) itself. This flex warning message is not caused by any
exploitable condition (5). Now, what is the conclusion?:)

I do not get it. I have more vulnerabilities of this kind. Or even more
juicy:

# dig "@`perl -e '{print "\x20"x250}'`id #"
/.../
uid=0(root) gid=0(root) groups=0(root)

And so what?;>

--
_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=