Vulnerability Development mailing list archives

Re: traceroute-4.4BSD (slack) heap overflow

From: Matt Zimmerman <mdz () CSH RIT EDU>
Date: Thu, 11 Jan 2001 12:23:14 -0500

On Tue, Jan 09, 2001 at 03:25:08PM -0800, Cristi Dumitrescu wrote:

Been there, tried that. I knew the old way of viewing the shadow with ping
or traceroute utilities using this method. Fact is RESOLV_HOST_CONF is not
reffering to /etc/hosts, but to /etc/resolv.conf =[ You could at most use a
rogue ns with this method.


Fact is, RESOLV_HOST_CONF is not referring to /etc/resolv.conf, but to
/etc/host.conf.  This is much more difficult to exploit.

Directives available:

       order  This keyword specifies how host lookups are  to  be
              performed.   It  should  be followed by one or more
              lookup methods, seperated by commas.  Valid methods
              are bind , hosts and nis .

       trim   This  keyword  may  be listed more than once.  Each
              time it should be followed by a single domain name,
              with  the  leading  dot.   When  set,  the  resolv+
              library will automatically trim  the  given  domain
              name from the end of any hostname resolved via DNS.
              This is intended  for  use  with  local  hosts  and
              domains.  (Related note: trim will not affect host-
              names gathered via NIS or  the  hosts  file.   Care
              should  be  taken to insure that the first hostname
              for each entry in the hosts file is fully qualified
              or  non-qualified,  as  appropriate  for  the local
              installation.)

       multi  Valid values are on and off .  If set to "on,"  the
              resolv+ library will return all valid addresses for
              a host that appears in the /etc/hosts file, instead
              of  only  the first.  This is off by default, as it
              may cause a substantial performance loss  at  sites
              with large hosts files.

       nospoof
              Valid  values are on and off .  If set to "on," the
              resolv+ library will attempt  to  prevent  hostname
              spoofing to enhance the security of rlogin and rsh.
              It  works  as  follows:  after  performing  a  host
              address  lookup,  resolv+  will  perform a hostname
              lookup for that address.  If the two  hostnames  do
              not match, the query will fail.

       alert  If  this  option  is  set  to  "on" and the nospoof
              option is also set, resolv+ will log a  warning  of
              the  error  via  the  syslog facility.  The default
              value is off.

       reorder
              Valid values are on and off  .   If  set  to  "on,"
              resolv+  will  attempt to reorder host addresses so
              that local addresses (i.e., on the same subnet) are
              listed  first  when a gethostbyname() is performed.
              Reordering is done for  all  lookup  methods.   The
              default value is off.

-- 
 - mdz

Attachment: _bin
Description:

Current thread:

Re: traceroute-4.4BSD (slack) heap overflow, (continued)
- - - Re: traceroute-4.4BSD (slack) heap overflow Frank de Lange (Jan 09)
  - Re: traceroute-4.4BSD (slack) heap overflow Matt Zimmerman (Jan 08)
    - Re: traceroute-4.4BSD (slack) heap overflow Olaf Kirch (Jan 09)
    - Re: traceroute-4.4BSD (slack) heap overflow Rodrigo Barbosa (aka morcego) (Jan 10)
  - Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 09)
- Re: traceroute-4.4BSD (slack) heap overflow Oliver Friedrichs (Jan 05)
  - Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 05)
- Re: traceroute-4.4BSD (slack) heap overflow Techno Bob (Jan 05)
- Re: traceroute-4.4BSD (slack) heap overflow Techno Bob (Jan 07)
  - Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 09)
    - Re: traceroute-4.4BSD (slack) heap overflow Matt Zimmerman (Jan 11)