Re: pnserver exploit..

From: der Mouse (mouseat_private)
Date: Fri Jan 16 1998 - 11:59:53 PST

Next message: Dean Gaudet: "Re: DoS attack: apache (& other) .htaccess Authentication"

Previous message: Dustin Sallings: "Re: DoS attack: apache (& other) .htaccess Authentication"
Maybe in reply to: Aleph One: "pnserver exploit.."
Next in thread: Donald van de Weyer: "Re: pnserver exploit.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> It seems that the pnserver bug was different than first thought.  The
> telnet client sends 6 characters that crash the server when its own
> maxbuffer is reached.  Here is a working exploit.

>   sprintf(buffer, "%c%c%c%c%c", 255, 244, 255, 253, 6);
>   write(sock, &buffer[0], strlen(buffer));

(Um, that's only 5 characters.)

Hmmm.  In telnet terms, IAC IP IAC DO TIMING-MARK.  (See RFCs 854 and
860 for more.)

What telnet client is this?  Not to imply that pnserver is not wrong to
crash, but this looks like a somewhat weird thing for a telnet client
to send - or have I missed part of the discussion?  This would make
sense if the telnet client generated it in response to something like a
terminal interrupt character.

                                        der Mouse

                               mouseat_private
                     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Next message: Dean Gaudet: "Re: DoS attack: apache (& other) .htaccess Authentication"
Previous message: Dustin Sallings: "Re: DoS attack: apache (& other) .htaccess Authentication"
Maybe in reply to: Aleph One: "pnserver exploit.."
Next in thread: Donald van de Weyer: "Re: pnserver exploit.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:39:38 PDT