[10707] in bugtraq
Re: weaknesses in dns label decoding,
daemon@ATHENA.MIT.EDU (marka@ISC.ORG)
Thu Jun 3 12:04:03 1999
Message-Id: <199906030134.LAA00214@bsdi.dv.isc.org>
Date: Thu, 3 Jun 1999 11:34:25 +1000
Reply-To: marka@ISC.ORG
From: marka@ISC.ORG
X-To: Dag-Erling Smorgrav <des@ifi.uio.no>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Wed, 02 Jun 1999 20:45:09 +0200."
<xzpwvxmv3uy.fsf@hrotti.ifi.uio.no>
> bobk <bobk@SINISTER.COM> writes:
> > Imagine what could happen if some program did a strcmp() on the following
> > name:
> >
> > rs.internic.net\0.xa.net
> >
> > where, of course, \0 is a null
> >
> > Interested readers may ponder what type of programs may be exploited with
> > this type of attack.
>
> Any .rhosts consumer. Xhost. Amanda (.amandahosts). Lpd (lpd.allow).
> What did I win?
>
> DES
> --
> Dag-Erling Smorgrav - des@ifi.uio.no
>
If if you have a modern resolver library you won't have a
problem as the presentation form is literally
"rs.internic.net\000.xa.net".
This may be used with old libraries to hide were you came
from but access checks usually require a forward lookups as
well .rhosts etc. should not be a problem even with old
libraries.
Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
