[5991] in bugtraq
Re: pnserver exploit..
daemon@ATHENA.MIT.EDU (der Mouse)
Sat Jan 17 12:37:35 1998
Date: Fri, 16 Jan 1998 14:59:53 -0500
Reply-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
From: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
To: BUGTRAQ@NETSPACE.ORG
> It seems that the pnserver bug was different than first thought. The
> telnet client sends 6 characters that crash the server when its own
> maxbuffer is reached. Here is a working exploit.
> sprintf(buffer, "%c%c%c%c%c", 255, 244, 255, 253, 6);
> write(sock, &buffer[0], strlen(buffer));
(Um, that's only 5 characters.)
Hmmm. In telnet terms, IAC IP IAC DO TIMING-MARK. (See RFCs 854 and
860 for more.)
What telnet client is this? Not to imply that pnserver is not wrong to
crash, but this looks like a somewhat weird thing for a telnet client
to send - or have I missed part of the discussion? This would make
sense if the telnet client generated it in response to something like a
terminal interrupt character.
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
