Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: buffer overflow in nslookup?

From: dszd0g () dasb fhda edu (Benjamin J Stassart)
Date: Sun, 30 Aug 1998 20:29:43 -0700

-----BEGIN PGP SIGNED MESSAGE-----


Date: Sun, 30 Aug 1998 18:47:18 -0700
From: "www.devoid.net" <admin () fallin devoid net>
To: BUGTRAQ () netspace org
Subject: Re: buffer overflow in nslookup?



my last mail didn't go out so this time i wont go through all the examples
because i do not have the time.
none of these buffer overruns core my nslookup ( bind-8.1.2 )
i am running a duel processor x86,
pentium classic,
and Cyril


Try:

nslookup `perl -e 'print "A" x 5000;'`

Under some OS's it may require a larger string to overflow the buffer.


where did the nslookup in these examples origionate ?


If your nslookup's main.c includes:

    sscanf(string, " %s", host);        /* removes white space */

(at line 681 in 4.9.7-REL and at line 684 in 8.1.2) and it does not
check the length of 'string', then you are vulnerable.

Benjamin J. Stassart
- ------------------------------------------------+
 A great many people think they are thinking    |
 when they are merely rearranging their         |
 prejudices                                     |

-----BEGIN PGP SIGNATURE-----
Version: PGP 5.0
Charset: noconv

iQCVAwUBNeoYqZePz5nhUoJ9AQGVBwP/Q/QSBftNZBznBh940NbPykhSEldDRcHx
fJmZsjhivBTrKNHaP+QHhCVoFjP5wY36rLt6zEc0wCSA2kJiW1h0n2AakmxShUNC
/vamXF5NzGcC4dM5PAj20QPjK2bBnAJQuqDtUGGqFBp7gSlVqCdhjQdmwU9uoEOr
kg6c9008SfU=
=xyfZ
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: