Bugtraq mailing list archives
Re: buffer overflow in nslookup?
From: bmr () MATH UAKRON EDU (Brandon Reynolds)
Date: Sat, 29 Aug 1998 22:22:26 -0400
On Sat, 29 Aug 1998, Peter van Dijk wrote:
*** zopie.attic.vuurwerk.nl can't find AA....AAA: Unspecified error Segmentation fault (core dumped) [peter@koek] ~$ nslookup `perl -e 'print "A" x 1000;'` Server: zopie.attic.vuurwerk.nl Address: 10.10.13.1 Segmentation fault (core dumped) At first, this does not seem a problem: nslookup is not suid root or anything. But several sites have cgi-scripts that call nslookup... tests show that these will coredump when passed enough characters. Looks exploitable to me...
The offending line is line 684 in main.c: sscanf(string, " %s", host); /* removes white space */ It could easily remedied by inserting something like this before it. if(strlen(string) > NAME_LEN) { fprintf(stderr,"host name too long.\n"); exit(1); } The code seems to be littered with sscanf's, but I guess the command line is probably the only critical concern since it's not suid. Brandon Reynolds bmr () math uakron edu The University of Akron (330) 972-6776 fax (330) 374-8630 Mathematical Sciences http://www.math.uakron.edu/~bmr/
Current thread:
- [djb () redhat com: Unidentified subject!], (continued)
- [djb () redhat com: Unidentified subject!] Paul Boehm (Aug 26)
- SV: Serious Security Hole in Hotmail Jonathan James (Aug 26)
- Re: Webmail.bellsouth.net security problems Joe (Aug 28)
- [SECURITY] Seyon is vulnerable to a root exploit Martin Schulze (Aug 28)
- Update on Linux unfsd Olaf Kirch (Aug 29)
- Buffer overflows in Minicom 1.80.1 Eduardo Navarro (Aug 29)
- Re: Buffer overflows in Minicom 1.80.1 Alan Brown (Aug 29)
- Re: Buffer overflows in Minicom 1.80.1 M.C.Mar (Aug 31)
- Re: Buffer overflows in Minicom 1.80.1 Wichert Akkerman (Aug 31)
- buffer overflow in nslookup? Peter van Dijk (Aug 29)
- Re: buffer overflow in nslookup? Brandon Reynolds (Aug 29)
- Re: buffer overflow in nslookup? Peter van Dijk (Aug 30)
- FreeBSD's RST validation Tristan Horn (Aug 30)
- Re: FreeBSD's RST validation James Snow (Aug 30)
- Re: FreeBSD's RST validation Tristan Horn (Aug 30)
- port scanning. (fwd) Darren Reed (Aug 31)
- Re: FreeBSD's RST validation Andrey Alekseyev (Aug 31)
- Re: FreeBSD's RST validation Diane Bruce (Aug 30)
- Re: FreeBSD's RST validation Oliver Friedrichs (Aug 31)
- SEYON vulnerability in TurboLinux 2.0 Scott Stone (Aug 30)
- Re: buffer overflow in nslookup? www.devoid.net (Aug 30)