Date: Sat, 29 Aug 1998 16:36:02 +0200
From: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
To: BUGTRAQ@netspace.org
Subject: buffer overflow in nslookup?
[peter@koek] ~$ nslookup `perl -e 'print "A" x 100;'`
Server: zopie.attic.vuurwerk.nl
Address: 10.10.13.1
*** zopie.attic.vuurwerk.nl can't find AAA.....AAA: Unspecified error
[peter@koek] ~$ nslookup `perl -e 'print "A" x 300;'`
Server: zopie.attic.vuurwerk.nl
Address: 10.10.13.1
*** zopie.attic.vuurwerk.nl can't find AA....AAA: Unspecified error
Segmentation fault (core dumped)
[peter@koek] ~$ nslookup `perl -e 'print "A" x 1000;'`
Server: zopie.attic.vuurwerk.nl
Address: 10.10.13.1
Segmentation fault (core dumped)
At first, this does not seem a problem: nslookup is not suid root or anything.
But several sites have cgi-scripts that call nslookup... tests show that these
will coredump when passed enough characters. Looks exploitable to me...
Greetz, Peter.
--
'I guess anybody who walks away from a root shell at : Peter van Dijk
a nerd party gets what they deserve!' -- BillSF :peter@attic.vuurwerk.nl
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
finger hardbeat@selweird.ml.org for my public PGP-key
- --- - --- - --- - --- - --- - --- - --- - --- - --- -