gwolfCAMPUS.IZTACALA.UNAM.MX

• Next message: Matteo,Marc A.: "Re: Apple Mac DoS"
• Previous message: Bluefish (P.Magnusson): "Re: Scanning Web Proxy -- Preliminary Concept"
• Next in thread: Damian Menscher: "Re: Bug, possible hole in nslookup, various operating systems"
• Reply: Damian Menscher: "Re: Bug, possible hole in nslookup, various operating systems"
• Reply: SSecurity: "Re: Bug, possible hole in nslookup, various operating systems"
• Reply: Kyle Bradley: "Re: Bug, possible hole in nslookup, various operating systems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

I found a strange behavior in the nslookup command, and was able to
reproduce it in several different platforms. I do not have deep knowledge
of the inner working of nslookup, but the message I got seemed a bit
suspicious, and I decided to report it before someone can find a way to
exploit it.

What I am doing is very simple - too simple, maybe. I run nslookup in
interactive mode, and send ^C while it is waiting for my text. This leads
to this error:

---------------------------------------------------------
SOLARIS:
---------------------------------------------------------
[gwolfsolaris gwolf]$ /usr/sbin/nslookup=20
Default Server: dns1.unam.mx
Address: 132.248.204.1

> asd^C
> fatal flex scanner internal error--end of buffer missed

---------------------------------------------------------
LINUX:
---------------------------------------------------------
[gwolflinux gwolf]$ nslookup=20
Default Server: dns1.unam.mx
Address: 132.248.204.1

> asd
> fatal flex scanner internal error--end of buffer missed

---------------------------------------------------------
IRIX:
---------------------------------------------------------
Yes_Master: nslookup

Default Server: dns1.unam.mx
Address: 132.248.204.1
>
> fatal flex scanner internal error--end of buffer missed

I think that when a ^C is recieved, nslookup is passing a non-terminated
string - a string without the ASCII 0 character marking the end of the
string. The flex lexical analyzer detects this and, fortunately, complains
out loud... However, there can be a way to lead from here to a compromise
situation.

I tried to run this in OpenBSD and in Digital UNIX, and:

---------------------------------------------------------
OPENBSD
---------------------------------------------------------
[gwolfopenbsd gwolf]$ nslookup=20
Default Server: dns1.unam.mx
Address: 132.248.204.1

> ^C
> ^C
>=20
---------------------------------------------------------
DIGITAL
---------------------------------------------------------
digital> nslookup=20
Default Server: dns1.unam.mx
Address: 132.248.204.1

>
>
---------------------------------------------------------

The operating systems and versions I tested this on are:

VULNERABLE:
RedHat Linux 6.1 for Alpha and i386 (kernel 2.2.16)
Solaris 7 for Sparc
Irix athos 6.2

NOT VULNERABLE:
OpenBSD 2.7 for Sparc and i386
OpenBSD 2.8 for i386
Digital Unix V4.0C

-------------------------------------------------------------------
           Gunnar Wolf gwolfcampus.iztacala.unam.mx
     Universidad Nacional Aut=F3noma de M=E9xico, Campus Iztacala
   Jefatura de Secci=F3n de Desarrollo y Admon. de Sistemas en Red
       Departamento de Seguridad en Computo - DGSCA - UNAM
-------------------------------------------------------------------

• Next message: Matteo,Marc A.: "Re: Apple Mac DoS"
• Previous message: Bluefish (P.Magnusson): "Re: Scanning Web Proxy -- Preliminary Concept"
• Next in thread: Damian Menscher: "Re: Bug, possible hole in nslookup, various operating systems"
• Reply: Damian Menscher: "Re: Bug, possible hole in nslookup, various operating systems"
• Reply: SSecurity: "Re: Bug, possible hole in nslookup, various operating systems"
• Reply: Kyle Bradley: "Re: Bug, possible hole in nslookup, various operating systems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]