[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B)
On Tue, Dec 17, 2002 at 07:37:23AM +0100, Stefan Esser wrote:
> Yes noone said it is not, but fact is, the libc resolvers simply do not
> allow them, so you can send through the wire whatever you want it will
> not find its way to the fingerd.
Any resolver who disallows a % or any other character _by default_
is in violation of RFC 2181, section 11:
``Similarly, any binary string can serve as the value of any record
that includes a domain name as some or all of its value (SOA, NS, MX,
PTR, CNAME, and any others that may be added). Implementations of the
DNS protocols must not place any restrictions on the labels that can
be used. In particular, DNS servers must not refuse to serve a zone
because it contains labels that might not be acceptable to some DNS
client programs. A DNS server may be configurable to issue warnings
when loading, or even to refuse to load, a primary zone containing
labels that might be considered questionable, however this should
not happen by default.''
See also RFC 1123, section 126.96.36.199:
``The DNS defines domain name syntax very generally -- a string of
labels each containing up to 63 8-bit octets, separated by dots,
and with a maximum total of 255 octets.''
A conforming resolver is part of the djbdns package, see
BIND provides an option ``no-check-names'' in /etc/resolv.conf to
switch off the filtering function for its resolver library:
394. [feature] add RES_NOCHECKNAME and "options no-check-names" (in
resolv.conf) to turn off modern host/mail name checks.
This is supported since release 8.2-T1A.