OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Fwd: tcpdump workaround against dnsloop exploit.
From: THE INFAMOUS (evil7BELLSOUTH.NET)
Date: Wed May 03 2000 - 17:32:26 CDT

---------- Forwarded Message ----------
Subject: tcpdump workaround against dnsloop exploit.
Date: 04 May 2000 00:32:22 +0200
From: yoannmandrakesoft.com

Hi,

Here is my patch to tcpdump against the dnsloop exploit...
I have really no knowledge of the dns internal at all,
so this is probably not ( and this is not ) the good way of preventing this.

However, it work against this attack,
but i hope it doesn't break anything for the printing of compressed
domain name.

Please remember, this is only a workaround
and might break the printing of compressed domain name in tcpdump.

--- print-domain.orig Wed May 3 23:33:13 2000
+++ print-domain.c Thu May 4 00:22:05 2000
-150,6 +150,7
 {
         register u_int i;
         register const u_char *rp;
+ register const u_char *old = NULL;
         register int compress;

         i = *cp++;
-162,8 +163,17
         if (i != 0)
                 while (i && cp < snapend) {
                         if ((i & INDIR_MASK) == INDIR_MASK) {
- cp = bp + (((i << 8) | *cp) & 0x3fff);
- i = *cp++;
+ cp = bp + (((i << 8) | *cp) & 0x3fff);
+
+ /*
+ * If we got two time the same data ptr,
+ * this mean we are looping.
+ */
+ if ( cp == old)
+ return NULL;
+ old = cp;
+
+ i = *cp++;
                                 continue;
                         }
                         if (fn_printn(cp, i, snapend)) 

--
		-- Yoann http://www.mandrakesoft.com/~yoann/
 It is well known that M$ product don't make a free() after a malloc(),
the unix community wish them good luck for their future developement.
-------------------------------------------------------

--
Bryan
Microsoft - Bringing you yesterdays technology today and breaking it along
the way...