Bugtraq mailing list archives

DoS attack for ircd's by oversized PTR record

From: goblin () ULTIMATE PT (Goblin)
Date: Fri, 29 Oct 1999 12:56:09 +0100


(Read, 1st - Some domains and IP's listed here where substituted by fake
ones, by their owners desire, but the examples are 100% true, and realy
tested)

I found this "bug" while trying to make a BIG sub-domain on my name server,
what i just did was on my named.conf put:

A.fccn.deve.estar.enganada.este.e.que.deve.ser.o.maior.nome.de.uma.maquina.e
m.portugal    IN    A    111.111.111.111
111.111.111.111.in-addr     IN    PTR
A.fccn.deve.estar.enganada.este.e.que.deve.ser.o.maior.nome.de.uma.maquina.e
m.portugal.xxxxxxx.pt.

Changed the serial and did named.restart checked for it (if it's working or
not).

nslookup
Default Server:  ptm-1.xxxxxxx.pt
Address:  111.111.111.2

111.111.111.111

Server:  ptm-1.xxxxxxx.pt
Address:  111.111.111.2

Name:
A.fccn.deve.estar.enganada.este.e.que.deve.ser.o.maior.nome.de.uma.maquina.e
m.portugal.xxxxxxxx.pt
Address:  111.111.111.111

Well it was working, i now had a ip <-> name (resolving ip)
So i decides to go to a Portuguese irc network (irc.ptlink.net), to my amaze
the server crashed (only the ircd) when trying to resolve my ip, i tried
another server and got the same result.
I did some more checking and found it to be vurnerable, it was running
Elite.PTlink3.3.1 a modified version of Elite ircd's.
I probed arround for another ircd software and i found another network
runnig u.2.9.32 (a undernet ircd) tried it and found it to be also
vurlnerable.
Continuing i tried it on Ptnet version PTnet1.5.39F witch is based on
Dalnet's ircd's and found it to NOT be vurnerable , when i connected it
tried to resolve my ip and failed, but it didnt crash, it continued the
connection normaly.

So let me put this on a small list of affected IRCd's.

Vurnerable:
        Elite ircd (versions unknown)
        Ptlink ircd (all versions)
        Undernet ircd (u.2.9.32)
Not vulnerable:
        Ptnet (versions unknow and 1.5.39F)

(Note that this DoS could be applied for many other things)

Any questions about this DoS in ircd's please mail me if a valid request i
would be glad to help.

Pedro Reis ( Goblin ) @ Portugal (irc.ptlink.net)

Current thread:

Re: Fix for ssh-1.2.27 symlink/bind problem, (continued)
- - - Re: Fix for ssh-1.2.27 symlink/bind problem Phillip Vandry (Oct 06)
  - Re: Fix for ssh-1.2.27 symlink/bind problem Wietse Venema (Oct 06)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Markus Friedl (Oct 25)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Wietse Venema (Oct 25)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Markus Friedl (Oct 26)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Wietse Venema (Oct 27)
    - ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability Luciano Martins (Jul 29)
    - Vulnerability in CMail SMTP Server Version 2.4: Remotely exploitable buffer Luciano Martins (Jul 29)
    - AW: Mac OS 9 Idle Lock Bug Flothow, Sebastian (Oct 29)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Casper Dik (Oct 29)
    - DoS attack for ircd's by oversized PTR record Goblin (Oct 29)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Eivind Eklund (Oct 29)
    - URL Live! 1.0 WebServer UNYUN (Oct 28)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Markus Friedl (Oct 26)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Wietse Venema (Oct 26)
    - Falcon Web Server Advisory (Oct 26)