Bugtraq mailing list archives
Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B)
From: der Mouse <mouse () Rodents Montreal QC CA>
Date: Mon, 16 Dec 2002 22:49:21 +0100 (CET)
Due to the way requests are logged the only way to exploit this vulnerability is through setting the DNS name of the fingering host to the attacker supplied format string.
I really wonder how you want to exploit this... Last time I checked all tested resolvers (Linux/BSD/Solaris) did not allow % within domain names and so your format string vulnerability is not exploitable at all...
If your resolver does not allow "funny characters" in domains, it is broken. If nothing else, that sort of crippling makes it approximately impossible to investigate abuse that involves using such domain names. (At least one spammer outfit is known to use domain names containing control characters and I think at least one other unusual character, prseumably in an attempt to make it harder to investigate their spam.) 0x00 octets in domain labels won't work well with APIs that use C strings, but the resolver shouldn't misbehave when encountering them internally - and breaking on any of the other 255 octets is a Very Bad Idea. (At least in the resolver. Other software and protocols may of course impose their own restrictions, of varying degrees of sanity. But the resolver infrastructure has to support all uses of the DNS, including "unusual" uses.) /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse () rodents montreal qc ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Current thread:
- PFinger 0.7.8 format string vulnerability (#NISR16122002B) NGSSoftware Insight Security Research (Dec 16)
- RE: PFinger 0.7.8 format string vulnerability (#NISR16122002B) Stefan Esser (Dec 16)
- Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B) der Mouse (Dec 17)
- Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B) Valdis . Kletnieks (Dec 17)
- Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B) Stefan Esser (Dec 17)
- Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B) der Mouse (Dec 17)
- Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B) Andreas Borchert (Dec 18)
- RE: PFinger 0.7.8 format string vulnerability (#NISR16122002B) Stefan Esser (Dec 16)
- Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B) Andreas Tscharner (Dec 27)