On Fri, 12 Jan 2001, Thomas Schoepf wrote:

> this doesn't sound very good, I'm afraid I've got too little experience with
> network programming. Maybe you both could arrange something?

The potential buffer overflows have been known for a while.

The patches submitted by Wolfgang Zekoll were full of them, but
many people were asking for the functionality that they provided.
I also didn't want to be an 'overbearing' code maintainer. So I
accepted them and thought that I or someone else would get around
to finding & fixing the problems.

In the meantime, exploiting these problems will get you nowhere.
By default, dnrd changes to the "nobody" user. It also does a chroot
to the /etc/dnrd directory, after checking that /etc/dnrd exists
and contains no subdirectories and no executables and is only
writable by root. So the process is jailed. The only thing a cracker
should be able to do by exploiting dnrd is chew up some cpu cycles.

However, I would like to see all the buffer overflows
fixed. Unfortunately, I just don't have the time to work on dnrd
anymore. It really does need a good reorganization.

It's a pretty simple program with functionality that is currently not
available anywhere else. If someone would like to give a shot at
re-writing it, I think everyone would be happy.

Brad Garcia