[935] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] about in.identd

daemon@ATHENA.MIT.EDU (Alexander O. Yuriev)
Sat Jul 20 20:06:29 1996

To: linux-security@tarsier.cv.nrao.edu
In-reply-to: Your message of "Thu, 18 Jul 1996 09:42:04 EDT."
             <Pine.LNX.3.91.960718093954.67A-100000@tcpip> 
Date: Thu, 18 Jul 1996 21:44:12 -0400
From: "Alexander O. Yuriev" <alex@bach.cis.temple.edu>



> The rfc specifies the maximum length for ident responses is 512 bytes, 
			^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> so I don't see how machine code would do anything of any use, 
     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> barring overflows which should not happen, since it should read no more than 512 
                          ^^^^^^^^^^^^^^^^^^          ^^^^^^      ^^^^^^^^
> bytes, and the buffer it should read into should be atleast 512 bytes.
                           ^^^^^^^^^^^^     ^^^^^^^^^
I rest my case. Look at the number of assumption that was made? What happens
if somehow designer follows the 1st one and makes sure that 512
bytes do fit and then instead of reading 512 bytes reads until the channel
is closed?

If I recall correctly, the attack was described in CS-96:02. If I recall
correctly pre 8.6.10 sendmail had this problem


Best wishes,
Alex

home help back first fref pref prev next nref lref last post