Bugtraq mailing list archives

Fwd: tcpdump workaround against dnsloop exploit.

From: evil7 () BELLSOUTH NET (THE INFAMOUS)
Date: Wed, 3 May 2000 17:32:26 -0500


----------  Forwarded Message  ----------
Subject: tcpdump workaround against dnsloop exploit.
Date: 04 May 2000 00:32:22 +0200
From: yoann () mandrakesoft com

Hi,

Here is my patch to tcpdump against the dnsloop exploit...
I have really no knowledge of the dns internal at all,
so this is probably not ( and this is not ) the good way of preventing this.

However, it work against this attack,
but i hope it doesn't break anything for the printing of compressed
domain name.

Please remember, this is only a workaround
and might break the printing of compressed domain name in tcpdump.

--- print-domain.orig   Wed May  3 23:33:13 2000
+++ print-domain.c      Thu May  4 00:22:05 2000
@@ -150,6 +150,7 @@
 {
         register u_int i;
         register const u_char *rp;
+       register const u_char *old = NULL;
         register int compress;

         i = *cp++;
@@ -162,8 +163,17 @@
         if (i != 0)
                 while (i && cp < snapend) {
                         if ((i & INDIR_MASK) == INDIR_MASK) {
-                               cp = bp + (((i << 8) | *cp) & 0x3fff);
-                               i = *cp++;
+                               cp = bp + (((i << 8) | *cp) & 0x3fff);
+
+                               /*
+                                * If we got two time the same data ptr,
+                                * this mean we are looping.
+                                */
+                               if ( cp == old)
+                                       return NULL;
+                               old = cp;
+
+                               i = *cp++;
                                 continue;
                         }
                         if (fn_printn(cp, i, snapend))

--
                -- Yoann http://www.mandrakesoft.com/~yoann/
 It is well known that M$ product don't make a free() after a malloc(),
the unix community wish them good luck for their future developement.
-------------------------------------------------------

--
Bryan
Microsoft - Bringing you yesterdays technology today and breaking it along
the way...

Current thread:

Re: Denial of service attack against tcpdump, (continued)
- - Re: Denial of service attack against tcpdump Gerald Combs (May 03)
  - "ILOVEYOU" virus analysis Steve Wolfe (May 04)
  - 2.2.14 Kernel exec/open bug (?) The Cr0W (May 05)
  - Re: Denial of service attack against tcpdump Hugo.van.der.Kooij () CAIW NL (May 09)
- glibc resolver weakness antirez (May 02)
  - Re: glibc resolver weakness Bennett Todd (May 03)
  - Re: glibc resolver weakness Valdis.Kletnieks () VT EDU (May 03)
  - Re: glibc resolver weakness Andrew Brown (May 03)
  - Cayman 3220-H DSL Router DOS cassius () HUSHMAIL COM (May 05)
- Fun with UltraBoard V1.6X rudi carell (May 03)
  - Fwd: tcpdump workaround against dnsloop exploit. THE INFAMOUS (May 03)
    - Re: tcpdump workaround against dnsloop exploit. David Schwartz (May 06)
    - NetBSD Security Advisory 2000-002 Daniel Carosone (May 06)
    - [NHC20000504a.0: NetBSD Panics when sent unaligned IP options] NHC Research (May 06)
    - Re: Fwd: tcpdump workaround against dnsloop exploit. Sebastian (May 07)
  - Re: Fun with UltraBoard V1.6X Juan M. Bello Rivas (May 05)