[12380] in bugtraq
DoS attack for ircd's by oversized PTR record
daemon@ATHENA.MIT.EDU (Goblin)
Fri Oct 29 13:05:22 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <001101bf2204$980f0d00$666444c2@valhalla.org>
Date: Fri, 29 Oct 1999 12:56:09 +0100
Reply-To: Goblin <goblin@ULTIMATE.PT>
From: Goblin <goblin@ULTIMATE.PT>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
(Read, 1st - Some domains and IP's listed here where substituted by fake
ones, by their owners desire, but the examples are 100% true, and realy
tested)
I found this "bug" while trying to make a BIG sub-domain on my name server,
what i just did was on my named.conf put:
A.fccn.deve.estar.enganada.este.e.que.deve.ser.o.maior.nome.de.uma.maquina.e
m.portugal IN A 111.111.111.111
111.111.111.111.in-addr IN PTR
A.fccn.deve.estar.enganada.este.e.que.deve.ser.o.maior.nome.de.uma.maquina.e
m.portugal.xxxxxxx.pt.
Changed the serial and did named.restart checked for it (if it's working or
not).
nslookup
Default Server: ptm-1.xxxxxxx.pt
Address: 111.111.111.2
> 111.111.111.111
Server: ptm-1.xxxxxxx.pt
Address: 111.111.111.2
Name:
A.fccn.deve.estar.enganada.este.e.que.deve.ser.o.maior.nome.de.uma.maquina.e
m.portugal.xxxxxxxx.pt
Address: 111.111.111.111
Well it was working, i now had a ip <-> name (resolving ip)
So i decides to go to a Portuguese irc network (irc.ptlink.net), to my amaze
the server crashed (only the ircd) when trying to resolve my ip, i tried
another server and got the same result.
I did some more checking and found it to be vurnerable, it was running
Elite.PTlink3.3.1 a modified version of Elite ircd's.
I probed arround for another ircd software and i found another network
runnig u.2.9.32 (a undernet ircd) tried it and found it to be also
vurlnerable.
Continuing i tried it on Ptnet version PTnet1.5.39F witch is based on
Dalnet's ircd's and found it to NOT be vurnerable , when i connected it
tried to resolve my ip and failed, but it didnt crash, it continued the
connection normaly.
So let me put this on a small list of affected IRCd's.
Vurnerable:
Elite ircd (versions unknown)
Ptlink ircd (all versions)
Undernet ircd (u.2.9.32)
Not vulnerable:
Ptnet (versions unknow and 1.5.39F)
(Note that this DoS could be applied for many other things)
Any questions about this DoS in ircd's please mail me if a valid request i
would be glad to help.
Pedro Reis ( Goblin ) @ Portugal (irc.ptlink.net)
