[28232] in bugtraq
Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B)
daemon@ATHENA.MIT.EDU (der Mouse)
Tue Dec 17 14:26:07 2002
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
Message-Id: <200212171750.MAA09168@Sparkle.Rodents.Montreal.QC.CA>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Date: Tue, 17 Dec 2002 18:44:13 +0100 (CET)
To: Stefan Esser <s.esser@e-matters.de>, bugtraq@securityfocus.com
In-Reply-To: <20021217063723.GA18608@php.net>
>> *ON THE WIRE*, all 256 byte codes are legal, since [...]
> Yes noone said it is not, but fact is, the libc resolvers simply do
> not allow them, so you can send through the wire whatever you want it
> will not find its way to the fingerd.
This does not match my experience.
I control rDNS for my house network (my provider has installed CNAMEs
pointing into my domain for my address space); I tried picking a
currently-unused address and giving it a PTR record pointing to
"Host-%-sign.Rodents.Montreal.QC.CA". I then told my nameserver to
reload the zone.
Using "host" on the address then printed the name I'd given,
Host-%-sign.Rodents.Montreal.QC.CA. The resolver never even blinked.
(If you want to try your own resolver on it, I've left it up; the
address is 216.46.5.13. I expect I'll be able to leave it up for at
least a month or so, but of course can't actually commit to that.)
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
