[28237] in bugtraq
Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B)
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Dec 17 14:57:46 2002
Message-Id: <200212170456.gBH4uARa002457@turing-police.cc.vt.edu>
To: Stefan Esser <s.esser@e-matters.de>
In-Reply-To: Your message of "Mon, 16 Dec 2002 21:39:32 +0100."
<20021216203932.GA3893@php.net>
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_303288982P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Mon, 16 Dec 2002 23:56:10 -0500
--==_Exmh_303288982P
Content-Type: text/plain; charset=us-ascii
On Mon, 16 Dec 2002 21:39:32 +0100, Stefan Esser <s.esser@e-matters.de> said:
>
> Hello,
>
> > Due to the way requests are logged the only way to exploit this
> > vulnerability is through setting the DNS name of the fingering host to the
> > attacker supplied format string.
>
> I really wonder how you want to exploit this... Last time I checked
> all tested resolvers (Linux/BSD/Solaris) did not allow % within domain
> names and so your format string vulnerability is not exploitable at all...
Gotta read them RFC's carefully. ;)
*ON THE WIRE*, all 256 byte codes are legal, since DNS uses a length-data
encoding. Currently, there's restrictions on what chars are legal *for use*,
but there's no reason to suppose that with i18n and UTF-8 possibly appearing in
domain names, this will change.
Now ponder the fun you can have with a PTR entry - as that is what needs to
be returned for "setting the DNS name of the fingering host". What? You can't
get that into a BIND 9 zone file? Try grepping through the source
for "check-names" and ponder the possibilities. You don't even need to
hack the source code for this one....
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
--==_Exmh_303288982P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE9/q5qcC3lWbTT17ARAgoyAKDzmF8Mkd1wjsVGISjMVA4TcfsQOACgkPXH
h7eY9ZmPD+XecTubAwvKCIc=
=tCcu
-----END PGP SIGNATURE-----
--==_Exmh_303288982P--
