Bugtraq mailing list archives

Re: buffer overflow in nslookup?

From: tarreau () AEMIAIF LIP6 FR (Willy TARREAU)
Date: Mon, 31 Aug 1998 10:38:50 +0200

Segmentation fault (core dumped)

At first, this does not seem a problem: nslookup is not suid root or anything.
But several sites have cgi-scripts that call nslookup... tests show that these
will coredump when passed enough characters. Looks exploitable to me...


It is, I've successfully got a shell using my old generic exploit, with 260
bytes followed by a pointer to esp-400.

                                        Willy

--
+----------------------------------------------------------------------------+
| Willy Tarreau - tarreau () aemiaif lip6 fr - http://www-miaif.lip6.fr/willy/  |
| System and Network Engineer - NOVECOM - http://novworld.novecom.fr/        |
| Magistere d'Informatique Appliquee de l'Ile de France ( MIAIF ), Year 1997 |
+----------------------------------------------------------------------------+

Current thread:

port scanning. (fwd), (continued)
- - - port scanning. (fwd) Darren Reed (Aug 31)
    - Re: FreeBSD's RST validation Andrey Alekseyev (Aug 31)
    - Re: FreeBSD's RST validation Diane Bruce (Aug 30)
    - Re: FreeBSD's RST validation Oliver Friedrichs (Aug 31)
    - SEYON vulnerability in TurboLinux 2.0 Scott Stone (Aug 30)
    - Re: buffer overflow in nslookup? www.devoid.net (Aug 30)
    - Re: buffer overflow in nslookup? Benjamin J Stassart (Aug 30)
    - Re: buffer overflow in nslookup? Theo de Raadt (Aug 31)
    - Re: buffer overflow in nslookup? Uwe Ohse (Aug 31)
    - Hole in Oracle Server/Developer 2000 - authentication protocol. Yaron Yanay (Aug 31)
    - Re: buffer overflow in nslookup? Willy TARREAU (Aug 31)
- PTL Advisory: NetManage ZPOP v1.0 ekiM (Aug 25)
- Administrivia Aleph One (Aug 25)
- SV: Serious Security Hole in Hotmail Jonathan James (Aug 25)