Windows 2003/XP gethostbyaddr() NULL h_name pointer
From: 3APA3A (3APA3A_at_SECURITY.NNOV.RU)
Date: 06/03/03
- Previous message: :: Operash ::: "[Windows XP] ntdll.dll Buffer Overflow Vulnerability - Yet Another MS03-007"
- Next in thread: Sergey V. Gordeychik: "Re: Windows 2003/XP gethostbyaddr() NULL h_name pointer"
- Maybe reply: Sergey V. Gordeychik: "Re: Windows 2003/XP gethostbyaddr() NULL h_name pointer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 3 Jun 2003 12:59:34 +0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Credits:
at4r ins4n3 reported on vuln-dev list mIRC to crash on resolving
specific IP addresses. Roland Postle discovered strange behaviour of
WSAAsyncGetHostByAddr(). Peter Pentchev and I found exact conditions for
bug to happen. It become clear the bug is in Windows XP gethostbyaddr()
implementation and may affect many application. Street confirmed this
bug in Windows 2003 trial.
Vulnerability:
It may be possible to crash any application on Windows 2003/XP where
gethostbyaddr() or WSAAsyncGetHostByAddr() from ws2_32.dll are used for
reverse name resolution (Network servers, IRC clients, Peer-to-Peer
clients, personal firewalls, etc) with NULL pointer reference bug.
Vendor:
Microsoft was Cc:'d from vuln-dev list. Vulnerability was found during
public discussion, and is already publicly known.
Reproduction:
test application can be downloaded from
http://www.security.nnov.ru/files/gethostbyaddr.zip
1. Create zone 1.168.192.in-addr.arpa and add record (Windows 2000 DNS
server was used, results for bind may differ):
254 IN CNAME non.existant.name
2. Use test program referenced
3. I did tests on Windows NT 4.0, Windows 2000 and Windows XP SP1.
Results:
Windows NT 4.0:
c:\>test.exe 192.168.1.254
gethostbyaddr failed
Windows 2000:
C:\>test.exe 192.168.1.254
gethostbyaddr failed
Windows XP SP1:
C:\>test.exe 192.168.1.254
h_name: (null)
Expected result: h_name should never be NULL if gethostbyaddr() returns
valid result.
-- ~/ZARAZA Машина оказалась способной к единственному действию, а именно умножению 2x2, да и то при этом ошибаясь. (Лем) oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Delivery co-sponsored by TruSecure oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo FREE 14-DAY TRIAL of New Threat & Vulnerability Notification Service TruSecure's new IntelliShield(tm) web-based threat and vulnerability service isn't your typical alert service. Supported by TruSecure's vast intelligence resources - including the ICSA Labs - IntelliShield's early warning, analysis, decision support, and threat management tools provide organizations with unmatched intelligence to better protect critical information assets. Experience it for yourself - just click below to begin your FREE, NO OBLIGATION 14-day trial today! http://www.trusecure.com/offer/s0074/ oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: :: Operash ::: "[Windows XP] ntdll.dll Buffer Overflow Vulnerability - Yet Another MS03-007"
- Next in thread: Sergey V. Gordeychik: "Re: Windows 2003/XP gethostbyaddr() NULL h_name pointer"
- Maybe reply: Sergey V. Gordeychik: "Re: Windows 2003/XP gethostbyaddr() NULL h_name pointer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
