Vulnerability Development mailing list archives
Re: Bug, possible hole in nslookup, various operating systems
From: Steve Lord <stevel () LINUXIT COM>
Date: Tue, 19 Dec 2000 12:43:07 +0000
Gunnar Wolf wrote:
I found a strange behavior in the nslookup command, and was able to reproduce it in several different platforms. I do not have deep knowledge of the inner working of nslookup, but the message I got seemed a bit suspicious, and I decided to report it before someone can find a way to exploit it.nslookup has 755 permissions on all machines I've seen, so I'm not sure what the danger is.... You thinking of something in the kernel?I lack enough knowledge to tell if this is or not potentially dangerous... I only know this is not the expected behavior - it is a bug, and bugs potentially can become holes.What I am doing is very simple - too simple, maybe. I run nslookup in interactive mode, and send ^C while it is waiting for my text.Just to add a new platform: IRIX 6.5.6m is not vulnerableGood, thank you!
I know very little about writing overflow exploits, but doing a strings
of it revealed (amongst other things):
fatal flex scanner internal error--no action found
fatal flex scanner internal error--end of buffer missed
fatal error - scanner input buffer overflow
input in flex scanner failed
flex scanner push-back overflow
unexpected last match in input()
out of dynamic memory in yy_create_buffer()
out of dynamic memory in yy_scan_buffer()
out of dynamic memory in yy_scan_bytes()
bad buffer in yy_scan_bytes()
There's a lot of junk in there which leads me to believe that whoever
wrote it (I don't have the source and can't be bothered downloading it)
was at least aware of buffer overflows and put in stuff to protect it,
as well as some format checking stuff. If there is an exploit it doesn't
have root privelidges anyway, although that doesn't necessarily mean
that a root shell is out of the picture. I've only tested this on the
version of nslookup in the bind-utils-8.2.2_P5-24 package shipped with
RedHat pinstripe.
The ltrace looks rather interesting though. If there's anyone out there
who knows more C than me (ie 99% of this list) then it might be worth
peering into.
Steve Lord
Senior Technical Consultant
LinuxIT
--
An Englishman never enjoys himself, except for a noble purpose.
-- A.P. Herbert
Current thread:
- Bug, possible hole in nslookup, various operating systems Gunnar Wolf (Dec 17)
- Re: Bug, possible hole in nslookup, various operating systems Damian Menscher (Dec 18)
- Re: Bug, possible hole in nslookup, various operating systems Michal Zalewski (Dec 18)
- Re: Bug, possible hole in nslookup, various operating systems Gunnar Wolf (Dec 18)
- Re: Bug, possible hole in nslookup, various operating systems Steve Lord (Dec 19)
- Re: Bug, possible hole in nslookup, various operating systems Ryan W. Maple (Dec 20)
- Re: Bug, possible hole in nslookup, various operating systems rpc (Dec 20)
- Re: Bug, possible hole in nslookup, various operating systems Damian Menscher (Dec 18)
- Re: Bug, possible hole in nslookup, various operating systems SSecurity (Dec 18)
- <Possible follow-ups>
- Re: Bug, possible hole in nslookup, various operating systems Kyle Bradley (Dec 18)