Bugtraq mailing list archives
Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B)
From: Valdis.Kletnieks () vt edu
Date: Mon, 16 Dec 2002 23:56:10 -0500
On Mon, 16 Dec 2002 21:39:32 +0100, Stefan Esser <s.esser () e-matters de> said:
Hello,Due to the way requests are logged the only way to exploit this vulnerability is through setting the DNS name of the fingering host to the attacker supplied format string.I really wonder how you want to exploit this... Last time I checked all tested resolvers (Linux/BSD/Solaris) did not allow % within domain names and so your format string vulnerability is not exploitable at all...
Gotta read them RFC's carefully. ;) *ON THE WIRE*, all 256 byte codes are legal, since DNS uses a length-data encoding. Currently, there's restrictions on what chars are legal *for use*, but there's no reason to suppose that with i18n and UTF-8 possibly appearing in domain names, this will change. Now ponder the fun you can have with a PTR entry - as that is what needs to be returned for "setting the DNS name of the fingering host". What? You can't get that into a BIND 9 zone file? Try grepping through the source for "check-names" and ponder the possibilities. You don't even need to hack the source code for this one.... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Attachment:
_bin
Description:
Current thread:
- PFinger 0.7.8 format string vulnerability (#NISR16122002B) NGSSoftware Insight Security Research (Dec 16)
- RE: PFinger 0.7.8 format string vulnerability (#NISR16122002B) Stefan Esser (Dec 16)
- Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B) der Mouse (Dec 17)
- Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B) Valdis . Kletnieks (Dec 17)
- Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B) Stefan Esser (Dec 17)
- Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B) der Mouse (Dec 17)
- Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B) Andreas Borchert (Dec 18)
- RE: PFinger 0.7.8 format string vulnerability (#NISR16122002B) Stefan Esser (Dec 16)
- Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B) Andreas Tscharner (Dec 27)