my last mail didn't go out so this time i wont go through all the examples because i do not have the time. none of these buffer overruns core my nslookup ( bind-8.1.2 ) i am running a duel processor x86, pentium classic, and Cyril not that the CPA matters.. where did the nslookup in these examples origionate ? On 30-Aug-98 Brandon Reynolds wrote: > On Sat, 29 Aug 1998, Peter van Dijk wrote: > >> *** zopie.attic.vuurwerk.nl can't find AA....AAA: Unspecified error >> Segmentation fault (core dumped) >> [peter@koek] ~$ nslookup `perl -e 'print "A" x 1000;'` >> Server: zopie.attic.vuurwerk.nl >> Address: 10.10.13.1 >> >> Segmentation fault (core dumped) >> >> At first, this does not seem a problem: nslookup is not suid root or >> anything. >> But several sites have cgi-scripts that call nslookup... tests show that >> these >> will coredump when passed enough characters. Looks exploitable to me... > > The offending line is line 684 in main.c: > > sscanf(string, " %s", host); /* removes white space */ > > It could easily remedied by inserting something like this before it. > > if(strlen(string) > NAME_LEN) { > fprintf(stderr,"host name too long.\n"); > exit(1); > } > > The code seems to be littered with sscanf's, but I guess the command line > is probably the only critical concern since it's not suid. > > Brandon Reynolds bmrat_private > The University of Akron (330) 972-6776 fax (330) 374-8630 > Mathematical Sciences http://www.math.uakron.edu/~bmr/ -------------------------- E-Mail: adminat_private Date: 30-Aug-98 Time: 18:42:45 www.devoid.net --------------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:14:08 PDT