[7806] in bugtraq
Re: buffer overflow in nslookup?
daemon@ATHENA.MIT.EDU (www.devoid.net)
Sun Aug 30 22:43:44 1998
Date: Sun, 30 Aug 1998 18:47:18 -0700
Reply-To: admin@fallin.devoid.net
From: "www.devoid.net" <admin@FALLIN.DEVOID.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.980829221840.3119A-100000@hamilton.math.uakron.edu>
my last mail didn't go out so this time i wont go through all the examples
because i do not have the time.
none of these buffer overruns core my nslookup ( bind-8.1.2 )
i am running a duel processor x86,
pentium classic,
and Cyril
not that the CPA matters..
where did the nslookup in these examples origionate ?
On 30-Aug-98 Brandon Reynolds wrote:
> On Sat, 29 Aug 1998, Peter van Dijk wrote:
>
>> *** zopie.attic.vuurwerk.nl can't find AA....AAA: Unspecified error
>> Segmentation fault (core dumped)
>> [peter@koek] ~$ nslookup `perl -e 'print "A" x 1000;'`
>> Server: zopie.attic.vuurwerk.nl
>> Address: 10.10.13.1
>>
>> Segmentation fault (core dumped)
>>
>> At first, this does not seem a problem: nslookup is not suid root or
>> anything.
>> But several sites have cgi-scripts that call nslookup... tests show that
>> these
>> will coredump when passed enough characters. Looks exploitable to me...
>
> The offending line is line 684 in main.c:
>
> sscanf(string, " %s", host); /* removes white space */
>
> It could easily remedied by inserting something like this before it.
>
> if(strlen(string) > NAME_LEN) {
> fprintf(stderr,"host name too long.\n");
> exit(1);
> }
>
> The code seems to be littered with sscanf's, but I guess the command line
> is probably the only critical concern since it's not suid.
>
> Brandon Reynolds bmr@math.uakron.edu
> The University of Akron (330) 972-6776 fax (330) 374-8630
> Mathematical Sciences http://www.math.uakron.edu/~bmr/
--------------------------
E-Mail: admin@devoid.net
Date: 30-Aug-98
Time: 18:42:45
www.devoid.net
--------------------------
