my last mail didn't go out so this time i wont go through all the examples
because i do not have the time.
none of these buffer overruns core my nslookup ( bind-8.1.2 )
i am running a duel processor x86,
pentium classic,
and Cyril
not that the CPA matters..
where did the nslookup in these examples origionate ?
On 30-Aug-98 Brandon Reynolds wrote:
> On Sat, 29 Aug 1998, Peter van Dijk wrote:
>
>> *** zopie.attic.vuurwerk.nl can't find AA....AAA: Unspecified error
>> Segmentation fault (core dumped)
>> [peter@koek] ~$ nslookup `perl -e 'print "A" x 1000;'`
>> Server: zopie.attic.vuurwerk.nl
>> Address: 10.10.13.1
>>
>> Segmentation fault (core dumped)
>>
>> At first, this does not seem a problem: nslookup is not suid root or
>> anything.
>> But several sites have cgi-scripts that call nslookup... tests show that
>> these
>> will coredump when passed enough characters. Looks exploitable to me...
>
> The offending line is line 684 in main.c:
>
> sscanf(string, " %s", host); /* removes white space */
>
> It could easily remedied by inserting something like this before it.
>
> if(strlen(string) > NAME_LEN) {
> fprintf(stderr,"host name too long.\n");
> exit(1);
> }
>
> The code seems to be littered with sscanf's, but I guess the command line
> is probably the only critical concern since it's not suid.
>
> Brandon Reynolds bmrat_private
> The University of Akron (330) 972-6776 fax (330) 374-8630
> Mathematical Sciences http://www.math.uakron.edu/~bmr/
--------------------------
E-Mail: adminat_private
Date: 30-Aug-98
Time: 18:42:45
www.devoid.net
--------------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:14:08 PDT