[10686] in bugtraq
Re: weaknesses in dns label decoding,
daemon@ATHENA.MIT.EDU (bobk)
Mon May 31 19:47:26 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.05.9905311746110.18771-100000@dark.sinister.com>
Date: Mon, 31 May 1999 17:49:53 -0400
Reply-To: bobk <bobk@SINISTER.COM>
From: bobk <bobk@SINISTER.COM>
X-To: Sebastian <scut@NB.IN-BERLIN.DE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.05.9905301511370.9647-101000@nb.in-berlin.de>
On Sun, 30 May 1999, Sebastian wrote:
>
> keywords: some dns packet decoders (sniffers, ids systems (?), dns
> servers) may be vulnerable to malformed compressed domain names
> inside dns packets.
>
> sorry aleph1, if this has already been known or posted =)
>
>
> hi,
>
> as I played with the DNS RFC (1035 especially) i came up with the idea to
> create malformed compressed dns domains inside the DNS packet to make it
> impossible for the DNS packet decoder to decompress it, which might lead
> to a denial of service attack.
Another thing to remember is that it is possible to put ABSOLUTELY
ANYTHING inside a DNS domain name. This includes whitespace, control
characters, and even NULL.
Imagine what could happen if some program did a strcmp() on the following
name:
rs.internic.net\0.xa.net
where, of course, \0 is a null
Interested readers may ponder what type of programs may be exploited with
this type of attack.
