DoS attack for ircd's by oversized PTR record

From: Goblin (goblinat_private)
Date: Fri Oct 29 1999 - 04:56:09 PDT

Next message: Nobuo Miwa: "Re: Netscape Messaging Server RCPT TO vul."

Previous message: Eivind Eklund: "Re: Fix for ssh-1.2.27 symlink/bind problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

(Read, 1st - Some domains and IP's listed here where substituted by fake
ones, by their owners desire, but the examples are 100% true, and realy
tested)

I found this "bug" while trying to make a BIG sub-domain on my name server,
what i just did was on my named.conf put:

A.fccn.deve.estar.enganada.este.e.que.deve.ser.o.maior.nome.de.uma.maquina.e
m.portugal    IN    A    111.111.111.111
111.111.111.111.in-addr     IN    PTR
A.fccn.deve.estar.enganada.este.e.que.deve.ser.o.maior.nome.de.uma.maquina.e
m.portugal.xxxxxxx.pt.

Changed the serial and did named.restart checked for it (if it's working or
not).

nslookup
Default Server:  ptm-1.xxxxxxx.pt
Address:  111.111.111.2

> 111.111.111.111
Server:  ptm-1.xxxxxxx.pt
Address:  111.111.111.2

Name:
A.fccn.deve.estar.enganada.este.e.que.deve.ser.o.maior.nome.de.uma.maquina.e
m.portugal.xxxxxxxx.pt
Address:  111.111.111.111

Well it was working, i now had a ip <-> name (resolving ip)
So i decides to go to a Portuguese irc network (irc.ptlink.net), to my amaze
the server crashed (only the ircd) when trying to resolve my ip, i tried
another server and got the same result.
I did some more checking and found it to be vurnerable, it was running
Elite.PTlink3.3.1 a modified version of Elite ircd's.
I probed arround for another ircd software and i found another network
runnig u.2.9.32 (a undernet ircd) tried it and found it to be also
vurlnerable.
Continuing i tried it on Ptnet version PTnet1.5.39F witch is based on
Dalnet's ircd's and found it to NOT be vurnerable , when i connected it
tried to resolve my ip and failed, but it didnt crash, it continued the
connection normaly.

So let me put this on a small list of affected IRCd's.

Vurnerable:
        Elite ircd (versions unknown)
        Ptlink ircd (all versions)
        Undernet ircd (u.2.9.32)
Not vulnerable:
        Ptnet (versions unknow and 1.5.39F)

(Note that this DoS could be applied for many other things)

Any questions about this DoS in ircd's please mail me if a valid request i
would be glad to help.


Pedro Reis ( Goblin ) @ Portugal (irc.ptlink.net)

Next message: Nobuo Miwa: "Re: Netscape Messaging Server RCPT TO vul."
Previous message: Eivind Eklund: "Re: Fix for ssh-1.2.27 symlink/bind problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:13 PDT