On Sat, 29 Aug 1998, Peter van Dijk wrote: > *** zopie.attic.vuurwerk.nl can't find AA....AAA: Unspecified error > Segmentation fault (core dumped) > [peter@koek] ~$ nslookup `perl -e 'print "A" x 1000;'` > Server: zopie.attic.vuurwerk.nl > Address: 10.10.13.1 > > Segmentation fault (core dumped) > > At first, this does not seem a problem: nslookup is not suid root or anything. > But several sites have cgi-scripts that call nslookup... tests show that these > will coredump when passed enough characters. Looks exploitable to me... The offending line is line 684 in main.c: sscanf(string, " %s", host); /* removes white space */ It could easily remedied by inserting something like this before it. if(strlen(string) > NAME_LEN) { fprintf(stderr,"host name too long.\n"); exit(1); } The code seems to be littered with sscanf's, but I guess the command line is probably the only critical concern since it's not suid. Brandon Reynolds bmrat_private The University of Akron (330) 972-6776 fax (330) 374-8630 Mathematical Sciences http://www.math.uakron.edu/~bmr/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:14:05 PDT