From: Nicolas RUFF (nicolas.ruff@gmail.com)
Date: Sun Feb 19 2006 - 06:28:52 EST
> Take a look at the NSTX project:
> http://nstx.dereference.de/nstx/
Personnally, I consider NSTX more like a "proof of concept" rather than
a field-useable tool. Apart from not being multi-user, it has been
plagued by a bug for several years that will make it crash if a
legitimate DNS request is received (!)
The first byte of the DNS request is used to store the request length,
but the request length is also computed by strlen(). NSTX-1.1b5 code is:
nstx_encode.c:82 *rlen = i - revmap[data[0]];
where i = strlen(data);
and rlen = &len;
When len<0, large amounts of memory will be overwritten in the following
memcpy():
nstx_pstack.c:151 memcpy(ptr->data, data, len);
Author has been contacted last year, but the tool is not actively
maintained (last update 10 monthes ago).
PoC :
# nslookup
> server target.com
> Z.target.com
(NSTX server on target.com crashes)
Regards,
- Nicolas RUFF
Security Researcher @ EADS-CCR
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:32 EDT