Re: pnserver exploit..

der Mouse (mouse@RODENTS.MONTREAL.QC.CA)
Fri, 16 Jan 1998 14:59:53 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dean Gaudet: "Re: DoS attack: apache (& other) .htaccess Authentication"
Previous message: Dustin Sallings: "Re: DoS attack: apache (& other) .htaccess Authentication"
Maybe in reply to: Aleph One: "pnserver exploit.."
Next in thread: Donald van de Weyer: "Re: pnserver exploit.."

> It seems that the pnserver bug was different than first thought. The
> telnet client sends 6 characters that crash the server when its own
> maxbuffer is reached. Here is a working exploit.

> sprintf(buffer, "%c%c%c%c%c", 255, 244, 255, 253, 6);
> write(sock, &buffer[0], strlen(buffer));

(Um, that's only 5 characters.)

Hmmm. In telnet terms, IAC IP IAC DO TIMING-MARK. (See RFCs 854 and
860 for more.)

What telnet client is this? Not to imply that pnserver is not wrong to
crash, but this looks like a somewhat weird thing for a telnet client
to send - or have I missed part of the discussion? This would make
sense if the telnet client generated it in response to something like a
terminal interrupt character.

der Mouse

mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

Next message: Dean Gaudet: "Re: DoS attack: apache (& other) .htaccess Authentication"
Previous message: Dustin Sallings: "Re: DoS attack: apache (& other) .htaccess Authentication"
Maybe in reply to: Aleph One: "pnserver exploit.."
Next in thread: Donald van de Weyer: "Re: pnserver exploit.."