lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20050615085619.GR7582@schlund.de>
Date: Wed, 15 Jun 2005 10:56:19 +0200
From: Anders Henke <anders@...lund.de>
To: Christoph 'knurd' Jeschke <christoph.jeschke@...il.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Arbitrary code execution in eping plugin


Am 14.06.2005 schrieb Christoph 'knurd' Jeschke:
> Jonathan Angliss schrieb:
> 
> > Won't match IPv6 addresses, but neither will the original code, and it
> > matches IP addresses perfectly I believe.
> 
> My Suggestion for IPv4 is:
> 
> ^(?!0+\.0+\.0+\.0+$)([01]?\d{1,2}|2[0-2][0-3])\.([01]?\d{1,2}|2[0-4]\d|25[0-5])\.([01]?\d{1,2}|2[0-4]\d|25[0-5])\.([01]?\d{1,2}|2[0-4]\d|25[0-5])$
> 
> So 0.0.0.0 (Internet) doesn't match, just as 224.0.0.0/4 (Multicast) and
> 240.0.0.0/4 (Future Use) as described in RFC3330.
> 
> (based on the Regex from Mastering Regular Expression, Jeffrey E.F. Friedl)
> 
> Any further suggestions?

Beware that 0.0.0.1 is also adressable, as the whole /8 has been
issued for the same thing :-)


If you wish to use a very complete list of "unlikely" IPv4 adresses, 
you're looking for the bogons list at http://www.cymru.com/Bogons/.

A short list on "special" IPv4 adresses can be found in RFC 3330; 
so you might also wish to add

0.0.0.0/8 (RFC1700)
127.0.0.0/8 (loopback, RFC1700)
169.254.0.0/16 (LINKLOCAL)
192.0.2.0/24 (NET-TEST, "for documentation only")
198.18.0.0/15 (network device testing, see RFC 2544)

... and possibly more or less the complete RFC1918-space (10.0.0.0/8,
172.16.0.0/12, 192.168.0.0/16), too.


For IPv6, at least

0000::/8 (loopback)
FE00::/9 and FF00::/8 (multicast, see RFC3513)
2001:DB8::/32 ("documentation-only", RFC3849)

are quite clear to reject.



Regards,

Anders
-- 
Schlund + Partner AG              Security
Brauerstrasse 48                  v://49.721.91374.50
D-76135 Karlsruhe                 f://49.721.91374.225


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ