Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_3

Bugtraq archives for 3rd quarter (Jul-Sep) 1998: buffer overflow in nslookup?

buffer overflow in nslookup?

Peter van Dijk (peterATTIC.VUURWERK.NL)
Sat, 29 Aug 1998 16:36:02 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Bert Driehuis: "Re: Security Hole in Axent ESM"
Previous message: Eduardo Navarro: "Buffer overflows in Minicom 1.80.1"
Next in thread: Brandon Reynolds: "Re: buffer overflow in nslookup?"

[peterkoek] ~$ nslookup `perl -e 'print "A" x 100;'`
Server:  zopie.attic.vuurwerk.nl
Address:  10.10.13.1

*** zopie.attic.vuurwerk.nl can't find AAA.....AAA: Unspecified error
[peterkoek] ~$ nslookup `perl -e 'print "A" x 300;'`
Server:  zopie.attic.vuurwerk.nl
Address:  10.10.13.1

*** zopie.attic.vuurwerk.nl can't find AA....AAA: Unspecified error
Segmentation fault (core dumped)
[peterkoek] ~$ nslookup `perl -e 'print "A" x 1000;'`
Server:  zopie.attic.vuurwerk.nl
Address:  10.10.13.1

Segmentation fault (core dumped)

At first, this does not seem a problem: nslookup is not suid root or anything.
But several sites have cgi-scripts that call nslookup... tests show that these
will coredump when passed enough characters. Looks exploitable to me...

Greetz, Peter.
--
'I guess anybody who walks away from a root shell at :         Peter van Dijk
 a nerd party gets what they deserve!' -- BillSF     :peterattic.vuurwerk.nl
-- --   -- --   -- --   -- --   -- --   -- --   -- --   -- --   -- --   -- --
finger hardbeatselweird.ml.org for my public PGP-key
  -  ---  -  ---  -  ---  -  ---  -  ---  -  ---  -  ---  -  ---  -  ---  -

Next message: Bert Driehuis: "Re: Security Hole in Axent ESM"
Previous message: Eduardo Navarro: "Buffer overflows in Minicom 1.80.1"
Next in thread: Brandon Reynolds: "Re: buffer overflow in nslookup?"