Re: pnserver exploit..

[mouse () RODENTS MONTREAL QC CA (der Mouse)]

> It seems that the pnserver bug was different than first thought.  The
> telnet client sends 6 characters that crash the server when its own
> maxbuffer is reached.  Here is a working exploit.

>   sprintf(buffer, "%c%c%c%c%c", 255, 244, 255, 253, 6);
>   write(sock, &buffer[0], strlen(buffer));

(Um, that's only 5 characters.)

Hmmm.  In telnet terms, IAC IP IAC DO TIMING-MARK.  (See RFCs 854 and
860 for more.)

What telnet client is this?  Not to imply that pnserver is not wrong to
crash, but this looks like a somewhat weird thing for a telnet client
to send - or have I missed part of the discussion?  This would make
sense if the telnet client generated it in response to something like a
terminal interrupt character.

                                        der Mouse

                               mouse () rodents montreal qc ca
                     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B