On Mon, 16 Dec 2002 21:39:32 +0100, Stefan Esser <s.esser@e-matters.de> said: > > Hello, > > > Due to the way requests are logged the only way to exploit this > > vulnerability is through setting the DNS name of the fingering host to the > > attacker supplied format string. > > I really wonder how you want to exploit this... Last time I checked > all tested resolvers (Linux/BSD/Solaris) did not allow % within domain > names and so your format string vulnerability is not exploitable at all... Gotta read them RFC's carefully. ;) *ON THE WIRE*, all 256 byte codes are legal, since DNS uses a length-data encoding. Currently, there's restrictions on what chars are legal *for use*, but there's no reason to suppose that with i18n and UTF-8 possibly appearing in domain names, this will change. Now ponder the fun you can have with a PTR entry - as that is what needs to be returned for "setting the DNS name of the fingering host". What? You can't get that into a BIND 9 zone file? Try grepping through the source for "check-names" and ponder the possibilities. You don't even need to hack the source code for this one.... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Attachment:
pgp00257.pgp
Description: PGP signature
