Bugtraq mailing list archives

Re: buffer overflow in nslookup?

From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Mon, 31 Aug 1998 01:17:40 -0600

If your nslookup's main.c includes:

    sscanf(string, " %s", host);        /* removes white space */

(at line 681 in 4.9.7-REL and at line 684 in 8.1.2) and it does not
check the length of 'string', then you are vulnerable.


Nearly all the sscanf's parsing for some varient of %s are possible
vulnerabilities.

The same applies to "dig".

They must all be fixed.

Current thread:

FreeBSD's RST validation, (continued)
- - - FreeBSD's RST validation Tristan Horn (Aug 30)
    - Re: FreeBSD's RST validation James Snow (Aug 30)
    - Re: FreeBSD's RST validation Tristan Horn (Aug 30)
    - port scanning. (fwd) Darren Reed (Aug 31)
    - Re: FreeBSD's RST validation Andrey Alekseyev (Aug 31)
    - Re: FreeBSD's RST validation Diane Bruce (Aug 30)
    - Re: FreeBSD's RST validation Oliver Friedrichs (Aug 31)
    - SEYON vulnerability in TurboLinux 2.0 Scott Stone (Aug 30)
    - Re: buffer overflow in nslookup? www.devoid.net (Aug 30)
    - Re: buffer overflow in nslookup? Benjamin J Stassart (Aug 30)
    - Re: buffer overflow in nslookup? Theo de Raadt (Aug 31)
    - Re: buffer overflow in nslookup? Uwe Ohse (Aug 31)
    - Hole in Oracle Server/Developer 2000 - authentication protocol. Yaron Yanay (Aug 31)
    - Re: buffer overflow in nslookup? Willy TARREAU (Aug 31)
- PTL Advisory: NetManage ZPOP v1.0 ekiM (Aug 25)
- Administrivia Aleph One (Aug 25)
- SV: Serious Security Hole in Hotmail Jonathan James (Aug 25)