Bugtraq mailing list archives

Re: buffer overflow in nslookup?

From: bmr () MATH UAKRON EDU (Brandon Reynolds)
Date: Sat, 29 Aug 1998 22:22:26 -0400


On Sat, 29 Aug 1998, Peter van Dijk wrote:

*** zopie.attic.vuurwerk.nl can't find AA....AAA: Unspecified error
Segmentation fault (core dumped)
[peter@koek] ~$ nslookup `perl -e 'print "A" x 1000;'`
Server:  zopie.attic.vuurwerk.nl
Address:  10.10.13.1

Segmentation fault (core dumped)

At first, this does not seem a problem: nslookup is not suid root or anything.
But several sites have cgi-scripts that call nslookup... tests show that these
will coredump when passed enough characters. Looks exploitable to me...


The offending line is line 684 in main.c:

    sscanf(string, " %s", host);        /* removes white space */

It could easily remedied by inserting something like this before it.

    if(strlen(string) > NAME_LEN) {
      fprintf(stderr,"host name too long.\n");
      exit(1);
    }

The code seems to be littered with sscanf's, but I guess the command line
is probably the only critical concern since it's not suid.

Brandon Reynolds                                   bmr () math uakron edu
The University of Akron              (330) 972-6776 fax (330) 374-8630
Mathematical Sciences                 http://www.math.uakron.edu/~bmr/

Current thread:

[djb () redhat com: Unidentified subject!], (continued)
- - - [djb () redhat com: Unidentified subject!] Paul Boehm (Aug 26)
    - SV: Serious Security Hole in Hotmail Jonathan James (Aug 26)
    - Re: Webmail.bellsouth.net security problems Joe (Aug 28)
    - [SECURITY] Seyon is vulnerable to a root exploit Martin Schulze (Aug 28)
    - Update on Linux unfsd Olaf Kirch (Aug 29)
    - Buffer overflows in Minicom 1.80.1 Eduardo Navarro (Aug 29)
    - Re: Buffer overflows in Minicom 1.80.1 Alan Brown (Aug 29)
    - Re: Buffer overflows in Minicom 1.80.1 M.C.Mar (Aug 31)
    - Re: Buffer overflows in Minicom 1.80.1 Wichert Akkerman (Aug 31)
    - buffer overflow in nslookup? Peter van Dijk (Aug 29)
    - Re: buffer overflow in nslookup? Brandon Reynolds (Aug 29)
    - Re: buffer overflow in nslookup? Peter van Dijk (Aug 30)
    - FreeBSD's RST validation Tristan Horn (Aug 30)
    - Re: FreeBSD's RST validation James Snow (Aug 30)
    - Re: FreeBSD's RST validation Tristan Horn (Aug 30)
    - port scanning. (fwd) Darren Reed (Aug 31)
    - Re: FreeBSD's RST validation Andrey Alekseyev (Aug 31)
    - Re: FreeBSD's RST validation Diane Bruce (Aug 30)
    - Re: FreeBSD's RST validation Oliver Friedrichs (Aug 31)
    - SEYON vulnerability in TurboLinux 2.0 Scott Stone (Aug 30)
    - Re: buffer overflow in nslookup? www.devoid.net (Aug 30)

(Thread continues...)