OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Bug, possible hole in nslookup, various operating systems
From: SSecurity (dave.mclaughlinSITE-SECURITY.NET)
Date: Sun Dec 17 2000 - 10:20:25 CST


Just a couple that I tested...

Slackware 7.1.0
Linux slackware 2.2.17 #2
bash-2.04$ nslookup
Default Server: proxy1.corlis1.pa.home.com
Address: 24.1.40.33

>
> fatal flex scanner internal error--end of buffer missed
bash-2.04$

___________

FreeBSD 2.2.7-STABLE

bash-2.01$ nslookup
Default Server: ns1.xxxxxxx.net
Address: 199.xxx.xx.10

> ^C
> ^C
> ^C
> ^C
> ^C

Dave McLaughlin
securityjustshow.com

On Fri, 15 Dec 2000 11:23:16 -0600, Gunnar Wolf said:

> Hello,
>
> I found a strange behavior in the nslookup command, and was able to
> reproduce it in several different platforms. I do not have deep knowledge
> of the inner working of nslookup, but the message I got seemed a bit
> suspicious, and I decided to report it before someone can find a way to
> exploit it.
>
> What I am doing is very simple - too simple, maybe. I run nslookup in
> interactive mode, and send ^C while it is waiting for my text. This leads
> to this error:
>
> ---------------------------------------------------------
> SOLARIS:
> ---------------------------------------------------------
> [gwolfsolaris gwolf]$ /usr/sbin/nslookup=20
> Default Server: dns1.unam.mx
> Address: 132.248.204.1
>
> > asd^C
> > fatal flex scanner internal error--end of buffer missed
>
> ---------------------------------------------------------
> LINUX:
> ---------------------------------------------------------
> [gwolflinux gwolf]$ nslookup=20
> Default Server: dns1.unam.mx
> Address: 132.248.204.1
>
> > asd
> > fatal flex scanner internal error--end of buffer missed
>
> ---------------------------------------------------------
> IRIX:
> ---------------------------------------------------------
> Yes_Master: nslookup
>
> Default Server: dns1.unam.mx
> Address: 132.248.204.1
> >
> > fatal flex scanner internal error--end of buffer missed
>
> I think that when a ^C is recieved, nslookup is passing a non-terminated
> string - a string without the ASCII 0 character marking the end of the
> string. The flex lexical analyzer detects this and, fortunately, complains
> out loud... However, there can be a way to lead from here to a compromise
> situation.
>
> I tried to run this in OpenBSD and in Digital UNIX, and:
>
> ---------------------------------------------------------
> OPENBSD
> ---------------------------------------------------------
> [gwolfopenbsd gwolf]$ nslookup=20
> Default Server: dns1.unam.mx
> Address: 132.248.204.1
>
> > ^C
> > ^C
> >=20
> ---------------------------------------------------------
> DIGITAL
> ---------------------------------------------------------
> digital> nslookup=20
> Default Server: dns1.unam.mx
> Address: 132.248.204.1
>
> >
> >
> ---------------------------------------------------------
>
> The operating systems and versions I tested this on are:
>
> VULNERABLE:
> RedHat Linux 6.1 for Alpha and i386 (kernel 2.2.16)
> Solaris 7 for Sparc
> Irix athos 6.2
>
> NOT VULNERABLE:
> OpenBSD 2.7 for Sparc and i386
> OpenBSD 2.8 for i386
> Digital Unix V4.0C
>
> -------------------------------------------------------------------
> Gunnar Wolf gwolfcampus.iztacala.unam.mx
> Universidad Nacional Aut=F3noma de M=E9xico, Campus Iztacala
> Jefatura de Secci=F3n de Desarrollo y Admon. de Sistemas en Red
> Departamento de Seguridad en Computo - DGSCA - UNAM
> -------------------------------------------------------------------
>
>
>