Re: Fwd: tcpdump workaround against dnsloop exploit.

[scut () NB IN-BERLIN DE (Sebastian)]

On Wed, May 03, 2000 at 05:32:26PM -0500, THE INFAMOUS wrote:

> Hi,

Hi.

> Here is my patch to tcpdump against the dnsloop exploit...
> I have really no knowledge of the dns internal at all,
> so this is probably not ( and this is not ) the good way of preventing this.

It prevents only the "jump-on-itself" type of attack, but it leaves
the decoder still vulnerable to other type of compression attacks where
more then one label is involved. The only secure way is to use a
label counter such as in the BIND decompression routines.

> +                               /*
> +                                * If we got two time the same data ptr,
> +                                * this mean we are looping.
> +                                */
> +                               if ( cp == old)
> +                                       return NULL;
> +                               old = cp;

Imagine something like:

alabel<pointer-ahead-to-b-label>blabel<pointer-to-a-label>

ciao,
scut

--
- scut () nb in-berlin de - http://nb.in-berlin.de/scut/ --- you don't need a --
-- lot of people to be great, you need a few great to be the best ------------
http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07
-- data in VK/USA Mayfly experienced, awaiting transfer location, hi echelon -