Bugtraq mailing list archives
Re: buffer overflow in nslookup?
From: peter () ATTIC VUURWERK NL (Peter van Dijk)
Date: Sun, 30 Aug 1998 11:28:38 +0200
On Sat, Aug 29, 1998 at 10:22:26PM -0400, Brandon Reynolds wrote:
On Sat, 29 Aug 1998, Peter van Dijk wrote:*** zopie.attic.vuurwerk.nl can't find AA....AAA: Unspecified error Segmentation fault (core dumped) [peter@koek] ~$ nslookup `perl -e 'print "A" x 1000;'` Server: zopie.attic.vuurwerk.nl Address: 10.10.13.1 Segmentation fault (core dumped) At first, this does not seem a problem: nslookup is not suid root or anything. But several sites have cgi-scripts that call nslookup... tests show that these will coredump when passed enough characters. Looks exploitable to me...The offending line is line 684 in main.c: sscanf(string, " %s", host); /* removes white space */ It could easily remedied by inserting something like this before it. if(strlen(string) > NAME_LEN) { fprintf(stderr,"host name too long.\n"); exit(1); } The code seems to be littered with sscanf's, but I guess the command line is probably the only critical concern since it's not suid.
Hmm... how about cgi-scripts that expect you to use GET? Use POST and nslookup will happily accept your garbage on STDIN. Remember /cgi-bin/phf not that long ago (still widely exploitable)? Try running 'dd of=/tmp/bla' from phf and then `putting in some data via POST. phf expects you to use GET, which means you can easily upload files. Anyway, Theo de Raadt told me he fixed 'a bucketload of sscanf's', so I think we can expect a patch from him soon. Greetz, Peter. -- 'I guess anybody who walks away from a root shell at : Peter van Dijk a nerd party gets what they deserve!' -- BillSF :peter () attic vuurwerk nl -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- finger hardbeat () milanlovesverona ml org for my public PGP-key - --- - --- - --- - --- - --- - --- - --- - --- - --- -
Current thread:
- SV: Serious Security Hole in Hotmail, (continued)
- SV: Serious Security Hole in Hotmail Jonathan James (Aug 26)
- Re: Webmail.bellsouth.net security problems Joe (Aug 28)
- [SECURITY] Seyon is vulnerable to a root exploit Martin Schulze (Aug 28)
- Update on Linux unfsd Olaf Kirch (Aug 29)
- Buffer overflows in Minicom 1.80.1 Eduardo Navarro (Aug 29)
- Re: Buffer overflows in Minicom 1.80.1 Alan Brown (Aug 29)
- Re: Buffer overflows in Minicom 1.80.1 M.C.Mar (Aug 31)
- Re: Buffer overflows in Minicom 1.80.1 Wichert Akkerman (Aug 31)
- buffer overflow in nslookup? Peter van Dijk (Aug 29)
- Re: buffer overflow in nslookup? Brandon Reynolds (Aug 29)
- Re: buffer overflow in nslookup? Peter van Dijk (Aug 30)
- FreeBSD's RST validation Tristan Horn (Aug 30)
- Re: FreeBSD's RST validation James Snow (Aug 30)
- Re: FreeBSD's RST validation Tristan Horn (Aug 30)
- port scanning. (fwd) Darren Reed (Aug 31)
- Re: FreeBSD's RST validation Andrey Alekseyev (Aug 31)
- Re: FreeBSD's RST validation Diane Bruce (Aug 30)
- Re: FreeBSD's RST validation Oliver Friedrichs (Aug 31)
- SEYON vulnerability in TurboLinux 2.0 Scott Stone (Aug 30)
- Re: buffer overflow in nslookup? www.devoid.net (Aug 30)
- Re: buffer overflow in nslookup? Benjamin J Stassart (Aug 30)