Bugtraq mailing list archives

buffer overflow in nslookup?

From: peter () ATTIC VUURWERK NL (Peter van Dijk)
Date: Sat, 29 Aug 1998 16:36:02 +0200


[peter@koek] ~$ nslookup `perl -e 'print "A" x 100;'`
Server:  zopie.attic.vuurwerk.nl
Address:  10.10.13.1

*** zopie.attic.vuurwerk.nl can't find AAA.....AAA: Unspecified error
[peter@koek] ~$ nslookup `perl -e 'print "A" x 300;'`
Server:  zopie.attic.vuurwerk.nl
Address:  10.10.13.1

*** zopie.attic.vuurwerk.nl can't find AA....AAA: Unspecified error
Segmentation fault (core dumped)
[peter@koek] ~$ nslookup `perl -e 'print "A" x 1000;'`
Server:  zopie.attic.vuurwerk.nl
Address:  10.10.13.1

Segmentation fault (core dumped)

At first, this does not seem a problem: nslookup is not suid root or anything.
But several sites have cgi-scripts that call nslookup... tests show that these
will coredump when passed enough characters. Looks exploitable to me...

Greetz, Peter.
--
'I guess anybody who walks away from a root shell at :         Peter van Dijk
 a nerd party gets what they deserve!' -- BillSF     :peter () attic vuurwerk nl
-- --   -- --   -- --   -- --   -- --   -- --   -- --   -- --   -- --   -- --
finger hardbeat () selweird ml org for my public PGP-key
  -  ---  -  ---  -  ---  -  ---  -  ---  -  ---  -  ---  -  ---  -  ---  -

Current thread:

[paul () boehm org: [cert-advisory () cert org: CERT Summary CS-98.07]], (continued)
- - - [paul () boehm org: [cert-advisory () cert org: CERT Summary CS-98.07]] Paul Boehm (Aug 26)
    - [djb () redhat com: Unidentified subject!] Paul Boehm (Aug 26)
    - SV: Serious Security Hole in Hotmail Jonathan James (Aug 26)
    - Re: Webmail.bellsouth.net security problems Joe (Aug 28)
    - [SECURITY] Seyon is vulnerable to a root exploit Martin Schulze (Aug 28)
    - Update on Linux unfsd Olaf Kirch (Aug 29)
    - Buffer overflows in Minicom 1.80.1 Eduardo Navarro (Aug 29)
    - Re: Buffer overflows in Minicom 1.80.1 Alan Brown (Aug 29)
    - Re: Buffer overflows in Minicom 1.80.1 M.C.Mar (Aug 31)
    - Re: Buffer overflows in Minicom 1.80.1 Wichert Akkerman (Aug 31)
    - buffer overflow in nslookup? Peter van Dijk (Aug 29)
    - Re: buffer overflow in nslookup? Brandon Reynolds (Aug 29)
    - Re: buffer overflow in nslookup? Peter van Dijk (Aug 30)
    - FreeBSD's RST validation Tristan Horn (Aug 30)
    - Re: FreeBSD's RST validation James Snow (Aug 30)
    - Re: FreeBSD's RST validation Tristan Horn (Aug 30)
    - port scanning. (fwd) Darren Reed (Aug 31)
    - Re: FreeBSD's RST validation Andrey Alekseyev (Aug 31)
    - Re: FreeBSD's RST validation Diane Bruce (Aug 30)
    - Re: FreeBSD's RST validation Oliver Friedrichs (Aug 31)
    - SEYON vulnerability in TurboLinux 2.0 Scott Stone (Aug 30)

(Thread continues...)