|
|
BugTraq
PFinger 0.7.8 format string vulnerability (#NISR16122002B) Dec 16 2002 07:55PM NGSSoftware Insight Security Research (nisr nextgenss com) (2 replies) Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B) Dec 26 2002 10:07PM Andreas Tscharner (starfire dplanet ch) RE: PFinger 0.7.8 format string vulnerability (#NISR16122002B) Dec 16 2002 08:39PM Stefan Esser (s esser e-matters de) (2 replies) Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B) Dec 16 2002 09:49PM der Mouse (mouse Rodents Montreal QC CA) |
|
Privacy Statement |
>
> Hello,
>
> > Due to the way requests are logged the only way to exploit this
> > vulnerability is through setting the DNS name of the fingering host to the
> > attacker supplied format string.
>
> I really wonder how you want to exploit this... Last time I checked
> all tested resolvers (Linux/BSD/Solaris) did not allow % within domain
> names and so your format string vulnerability is not exploitable at all...
Gotta read them RFC's carefully. ;)
*ON THE WIRE*, all 256 byte codes are legal, since DNS uses a length-data
encoding. Currently, there's restrictions on what chars are legal *for use*,
but there's no reason to suppose that with i18n and UTF-8 possibly appearing in
domain names, this will change.
Now ponder the fun you can have with a PTR entry - as that is what needs to
be returned for "setting the DNS name of the fingering host". What? You can't
get that into a BIND 9 zone file? Try grepping through the source
for "check-names" and ponder the possibilities. You don't even need to
hack the source code for this one....
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
[ reply ]