Ethereal-dev: [ethereal-dev] DNS exploits

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Gilbert Ramirez <gram@xxxxxxxxxx>
Date: Tue, 11 Apr 2000 12:56:18 -0500
At packetstorm.securify.com, I searched for "ethereal" and found 
"zlip.tar.gz", which contains 3 exploits of DNS resolution:

http://209.143.242.119/cgi-bin/search/search.cgi?searchvalue=ethereal&type=archives&search.x=25&search.y=23

Here is the homepage of 'scut', the guy who found the exploit:
http://nb.in-berlin.de/scut/

(spelling errors are scut's, not mine)

zlip-1.c	endless, pointing to itself message decompression flaw,
		etherreal crashes linux
zlip-2.c	endless cross referencing at message decompression,
		etherreal crashes linux even faster ;)
		tcpdump stops working
zlip-3.c	creating a very long domain through multiple decompression
		of the same hostname, again and again,
		overflows etherreal, possible exploitable

Attached is the tar file with the 3 programs, and 3 single-frame libpcap
traces. Indeed, they cause ethereal to hang (but not crash). 


--gilbert

Attachment: zlip.tar.gz
Description: Binary data

Attachment: zlip-1.pcap
Description: Binary data

Attachment: zlip-2.pcap
Description: Binary data

Attachment: zlip-3.pcap
Description: Binary data