On Tue, May 02, 2000 at 07:46:33PM -0400, bretonh_at_PARANOIA.PGCI.CA wrote:
> There is a way to disable tcpdump running on a remote host. By sending a
This isn't new, check:
Pine.LNX.4.05.9905301511370.9647-101000@nb.in-berlin.de">http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-06-1&msg=Pine.LNX.4.05.9905301511370.9647-101000@nb.in-berlin.de</A>
> If this jump offset is set to its own location and if a program trying to
> decompress the domain name does not have any type of counter or strategy to
> avoid infinite loops, then the program will jump to the same offset in the
> packet over and over again.
Yep: since the DNS name compression does NOT allows to point to some offset
that contain pointers the fix is really simple.
> Only the "j" variable was added. The 256 jump limit is discutable, but this is
> only my humble suggestion of a temporary fix.
256 jumps are not allowed, a name can contain a pointer to some offset
with nul-terminated labels (RFC1035).
> One might wonder, however, if this type of bug could also be present in
> other software that also extracts domain names from UDP packets containing
> DNS queries or reply. I would suggest anyone running software that inspects
> contents of DNS traffic to test themselves against this.
Sebastian reported tcpdump vulnerable, Etherreal vulnerable, bind not
vulnerable, but the posting is dated "Sun May 30 1999 15:32:58".
regards,
antirez
--
Salvatore Sanfilippo, Open Source Developer, Linuxcare Italia spa
+39.049.8024648 tel, +39.049.8036484 fax
antirez@linuxcare.com, http://www.linuxcare.com/
Linuxcare. Support for the revolution.
Received on May 06 2000
Intro
