From owner-freebsd-security Sun Apr 27 18:11:26 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id SAA09945 for security-outgoing; Sun, 27 Apr 1997 18:11:26 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id SAA09940 for ; Sun, 27 Apr 1997 18:11:21 -0700 (PDT) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 1.60 #1) id 0wLexe-0006zz-00; Sun, 27 Apr 1997 19:10:34 -0600 To: The Code Warrior Subject: Re: SNI-12: BIND Vulnerabilities and Solutions (fwd) Cc: Dmitry Valdov , freebsd-security@freebsd.org In-reply-to: Your message of "Wed, 23 Apr 1997 10:15:30 -0000." References: Date: Sun, 27 Apr 1997 19:10:33 -0600 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message The Code Warrior writes: I haven't checked the gethostby* libs, so I'm not sure if the : resolver does internal bounds checking, rather than just letting you overflow : the stack with a spoofed DNS name. I have. There are some, but not a lot. I've been trying to plug them as I find them. Most of them have long ago been plugged. And the name doesn't need to be spoofed either. You just need control over the in-addr.arpa domain for the IP numbers that you claim to be coming from for this attack to work. Warner