Vulnerability Development mailing list archives
Re: Bug, possible hole in nslookup, various operating systems
From: SSecurity <dave.mclaughlin () site-security net>
Date: Sun, 17 Dec 2000 11:20:25 EST
Just a couple that I tested... Slackware 7.1.0 Linux slackware 2.2.17 #2 bash-2.04$ nslookup Default Server: proxy1.corlis1.pa.home.com Address: 24.1.40.33
fatal flex scanner internal error--end of buffer missed
bash-2.04$ ___________ FreeBSD 2.2.7-STABLE bash-2.01$ nslookup Default Server: ns1.xxxxxxx.net Address: 199.xxx.xx.10
^C ^C ^C ^C ^C
Dave McLaughlin security () justshow com On Fri, 15 Dec 2000 11:23:16 -0600, Gunnar Wolf said:
Hello, I found a strange behavior in the nslookup command, and was able to reproduce it in several different platforms. I do not have deep knowledge of the inner working of nslookup, but the message I got seemed a bit suspicious, and I decided to report it before someone can find a way to exploit it. What I am doing is very simple - too simple, maybe. I run nslookup in interactive mode, and send ^C while it is waiting for my text. This leads to this error: --------------------------------------------------------- SOLARIS: --------------------------------------------------------- [gwolf@solaris gwolf]$ /usr/sbin/nslookup=20 Default Server: dns1.unam.mx Address: 132.248.204.1 > asd^C > fatal flex scanner internal error--end of buffer missed --------------------------------------------------------- LINUX: --------------------------------------------------------- [gwolf@linux gwolf]$ nslookup=20 Default Server: dns1.unam.mx Address: 132.248.204.1 > asd > fatal flex scanner internal error--end of buffer missed --------------------------------------------------------- IRIX: --------------------------------------------------------- Yes_Master: nslookup Default Server: dns1.unam.mx Address: 132.248.204.1 > > fatal flex scanner internal error--end of buffer missed I think that when a ^C is recieved, nslookup is passing a non-terminated string - a string without the ASCII 0 character marking the end of the string. The flex lexical analyzer detects this and, fortunately, complains out loud... However, there can be a way to lead from here to a compromise situation. I tried to run this in OpenBSD and in Digital UNIX, and: --------------------------------------------------------- OPENBSD --------------------------------------------------------- [gwolf@openbsd gwolf]$ nslookup=20 Default Server: dns1.unam.mx Address: 132.248.204.1 > ^C > ^C >=20 --------------------------------------------------------- DIGITAL --------------------------------------------------------- digital> nslookup=20 Default Server: dns1.unam.mx Address: 132.248.204.1 > > --------------------------------------------------------- The operating systems and versions I tested this on are: VULNERABLE: RedHat Linux 6.1 for Alpha and i386 (kernel 2.2.16) Solaris 7 for Sparc Irix athos 6.2 NOT VULNERABLE: OpenBSD 2.7 for Sparc and i386 OpenBSD 2.8 for i386 Digital Unix V4.0C ------------------------------------------------------------------- Gunnar Wolf gwolf () campus iztacala unam mx Universidad Nacional Aut=F3noma de M=E9xico, Campus Iztacala Jefatura de Secci=F3n de Desarrollo y Admon. de Sistemas en Red Departamento de Seguridad en Computo - DGSCA - UNAM -------------------------------------------------------------------
Current thread:
- Bug, possible hole in nslookup, various operating systems Gunnar Wolf (Dec 17)
- Re: Bug, possible hole in nslookup, various operating systems Damian Menscher (Dec 18)
- Re: Bug, possible hole in nslookup, various operating systems Michal Zalewski (Dec 18)
- Re: Bug, possible hole in nslookup, various operating systems Gunnar Wolf (Dec 18)
- Re: Bug, possible hole in nslookup, various operating systems Steve Lord (Dec 19)
- Re: Bug, possible hole in nslookup, various operating systems Ryan W. Maple (Dec 20)
- Re: Bug, possible hole in nslookup, various operating systems rpc (Dec 20)
- Re: Bug, possible hole in nslookup, various operating systems Damian Menscher (Dec 18)
- Re: Bug, possible hole in nslookup, various operating systems SSecurity (Dec 18)
- <Possible follow-ups>
- Re: Bug, possible hole in nslookup, various operating systems Kyle Bradley (Dec 18)