Date: Sat, 29 Aug 1998 22:22:26 -0400
From: Brandon Reynolds <bmr@MATH.UAKRON.EDU>
To: BUGTRAQ@netspace.org
Subject: Re: buffer overflow in nslookup?
On Sat, 29 Aug 1998, Peter van Dijk wrote:
> *** zopie.attic.vuurwerk.nl can't find AA....AAA: Unspecified error
> Segmentation fault (core dumped)
> [peter@koek] ~$ nslookup `perl -e 'print "A" x 1000;'`
> Server: zopie.attic.vuurwerk.nl
> Address: 10.10.13.1
>
> Segmentation fault (core dumped)
>
> At first, this does not seem a problem: nslookup is not suid root or anything.
> But several sites have cgi-scripts that call nslookup... tests show that these
> will coredump when passed enough characters. Looks exploitable to me...
The offending line is line 684 in main.c:
sscanf(string, " %s", host); /* removes white space */
It could easily remedied by inserting something like this before it.
if(strlen(string) > NAME_LEN) {
fprintf(stderr,"host name too long.\n");
exit(1);
}
The code seems to be littered with sscanf's, but I guess the command line
is probably the only critical concern since it's not suid.
Brandon Reynolds bmr@math.uakron.edu
The University of Akron (330) 972-6776 fax (330) 374-8630
Mathematical Sciences http://www.math.uakron.edu/~bmr/
