Re: buffer overflow in nslookup?

[admin () fallin devoid net (www.devoid.net)]

my last mail didn't go out so this time i wont go through all the examples
because i do not have the time.
none of these buffer overruns core my nslookup ( bind-8.1.2 )
i am running a duel processor x86,
pentium classic,
and Cyril

not that the CPA matters..

where did the nslookup in these examples origionate ?



On 30-Aug-98 Brandon Reynolds wrote:
> On Sat, 29 Aug 1998, Peter van Dijk wrote:
>
> > *** zopie.attic.vuurwerk.nl can't find AA....AAA: Unspecified error
> > Segmentation fault (core dumped)
> > [peter@koek] ~$ nslookup `perl -e 'print "A" x 1000;'`
> > Server:  zopie.attic.vuurwerk.nl
> > Address:  10.10.13.1
> >
> > Segmentation fault (core dumped)
> >
> > At first, this does not seem a problem: nslookup is not suid root or
> > anything.
> > But several sites have cgi-scripts that call nslookup... tests show that
> > these
> > will coredump when passed enough characters. Looks exploitable to me...
>
> The offending line is line 684 in main.c:
>
>     sscanf(string, " %s", host);        /* removes white space */
>
> It could easily remedied by inserting something like this before it.
>
>     if(strlen(string) > NAME_LEN) {
>       fprintf(stderr,"host name too long.\n");
>       exit(1);
>     }
>
> The code seems to be littered with sscanf's, but I guess the command line
> is probably the only critical concern since it's not suid.
>
> Brandon Reynolds                                   bmr () math uakron edu
> The University of Akron              (330) 972-6776 fax (330) 374-8630
> Mathematical Sciences                 http://www.math.uakron.edu/~bmr/

--------------------------
E-Mail: admin () devoid net
Date: 30-Aug-98
Time: 18:42:45
      www.devoid.net
--------------------------