Bugtraq mailing list archives
Re: Denial of service attack against tcpdump
From: antirez () LINUXCARE COM (antirez)
Date: Wed, 3 May 2000 20:39:52 +0200
On Tue, May 02, 2000 at 07:46:33PM -0400, bretonh () PARANOIA PGCI CA wrote:
There is a way to disable tcpdump running on a remote host. By sending a
This isn't new, check: Pine.LNX.4.05.9905301511370.9647-101000 () nb in-berlin de">http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-06-1&msg=Pine.LNX.4.05.9905301511370.9647-101000 () nb in-berlin de</A>
If this jump offset is set to its own location and if a program trying to decompress the domain name does not have any type of counter or strategy to avoid infinite loops, then the program will jump to the same offset in the packet over and over again.
Yep: since the DNS name compression does NOT allows to point to some offset that contain pointers the fix is really simple.
Only the "j" variable was added. The 256 jump limit is discutable, but this is only my humble suggestion of a temporary fix.
256 jumps are not allowed, a name can contain a pointer to some offset with nul-terminated labels (RFC1035).
One might wonder, however, if this type of bug could also be present in other software that also extracts domain names from UDP packets containing DNS queries or reply. I would suggest anyone running software that inspects contents of DNS traffic to test themselves against this.
Sebastian reported tcpdump vulnerable, Etherreal vulnerable, bind not vulnerable, but the posting is dated "Sun May 30 1999 15:32:58". regards, antirez -- Salvatore Sanfilippo, Open Source Developer, Linuxcare Italia spa +39.049.8024648 tel, +39.049.8036484 fax antirez () linuxcare com, http://www.linuxcare.com/ Linuxcare. Support for the revolution.
Current thread:
- Wemilo cassius () HUSHMAIL COM (Apr 30)
- pam_console bug Michal Zalewski (May 02)
- Re: pam_console bug Benjamin Smee (May 03)
- Re: pam_console bug Michal Zalewski (May 04)
- Re: pam_console bug Benjamin Smee (May 03)
- Re: Wemilo daedalus (May 02)
- Possible issue with Cisco on-line help? Fernando Montenegro (May 02)
- Re: Possible issue with Cisco on-line help? Fernando Montenegro (May 04)
- Re: Possible issue with Cisco on-line help? Lisa Napier (May 09)
- Re: Possible issue with Cisco on-line help? Fernando Montenegro (May 04)
- 4ward:It's a blue world! deepquest () NETSCAPE NET (May 02)
- Denial of service attack against tcpdump bretonh () PARANOIA PGCI CA (May 02)
- Re: Denial of service attack against tcpdump antirez (May 03)
- Re: Denial of service attack against tcpdump Sebastian (May 03)
- Re: Denial of service attack against tcpdump Dragos Ruiu (May 03)
- Re: Denial of service attack against tcpdump Gerald Combs (May 03)
- "ILOVEYOU" virus analysis Steve Wolfe (May 04)
- 2.2.14 Kernel exec/open bug (?) The Cr0W (May 05)
- Re: Denial of service attack against tcpdump Hugo.van.der.Kooij () CAIW NL (May 09)
- glibc resolver weakness antirez (May 02)
- Re: glibc resolver weakness Bennett Todd (May 03)
- Re: glibc resolver weakness Valdis.Kletnieks () VT EDU (May 03)
- Re: glibc resolver weakness Andrew Brown (May 03)
(Thread continues...)
- pam_console bug Michal Zalewski (May 02)