[14827] in bugtraq
Re: Fwd: tcpdump workaround against dnsloop exploit.
daemon@ATHENA.MIT.EDU (Sebastian)
Sun May 7 16:20:35 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000507120112.B24189@nb.in-berlin.de>
Date: Sun, 7 May 2000 12:01:12 +0200
Reply-To: Sebastian <scut@NB.IN-BERLIN.DE>
From: Sebastian <scut@NB.IN-BERLIN.DE>
X-To: THE INFAMOUS <evil7@BELLSOUTH.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <00050317325100.00442@sQa.speedbros.org>; from
evil7@BELLSOUTH.NET on Wed, May 03, 2000 at 05:32:26PM -0500
On Wed, May 03, 2000 at 05:32:26PM -0500, THE INFAMOUS wrote:
> Hi,
Hi.
> Here is my patch to tcpdump against the dnsloop exploit...
> I have really no knowledge of the dns internal at all,
> so this is probably not ( and this is not ) the good way of preventing this.
It prevents only the "jump-on-itself" type of attack, but it leaves
the decoder still vulnerable to other type of compression attacks where
more then one label is involved. The only secure way is to use a
label counter such as in the BIND decompression routines.
> + /*
> + * If we got two time the same data ptr,
> + * this mean we are looping.
> + */
> + if ( cp == old)
> + return NULL;
> + old = cp;
Imagine something like:
alabel<pointer-ahead-to-b-label>blabel<pointer-to-a-label>
ciao,
scut
--
- scut@nb.in-berlin.de - http://nb.in-berlin.de/scut/ --- you don't need a --
-- lot of people to be great, you need a few great to be the best ------------
http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07
-- data in VK/USA Mayfly experienced, awaiting transfer location, hi echelon -
