[3650] in bugtraq
Re: hole in Solaris 2.5[.1] gethostbyname()
daemon@ATHENA.MIT.EDU (Jeff Murphy)
Tue Nov 19 22:31:46 1996
Date: Tue, 19 Nov 1996 08:58:36 -0500
Reply-To: Jeff Murphy <jcmurphy@smurfland.cit.buffalo.edu>
From: Jeff Murphy <jcmurphy@smurfland.cit.buffalo.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199611191228.NAA29837@khi.tech.met.fr> from
"roger.raimbault@met.fr" at Nov 19, 96 01:28:30 pm
roger.raimbault@met.fr insists:
>
>Hi,
> I just received a mail by one of my internal user
> concerning a hole in the
> SOLARIS 2.5/2.5.1 gethostbyname() function
>
> Did U already see something about this ?
> If yes , which are the conresponding patches
> to installed or corrections to loaded
there are no patches yet. yes, this is a problem and an exploit was
posted to bugtraq. binaries like rlogin, ping, etc (anything setuid root
that uses gethostbyname()) are vunerable. here is a small "patch" that
someone at our site came up with.
-----------------------------------------------------------------------
Joel Murphy writes:
I hacked up a libnsl with a wrapper around gethostbyname that disallows
buffer overflows. A lot easier that patching every program that runs
as root, in my opinion. I called it ~jmurphy/libnsl.so.1.
If you want to do it yourself, basically here is what I did:
mkdir libnsl
cd libnsl
ar x /usr/lib/libnsl.a
emacs gethostent.o # change gethostbyname symbol to GeThOsTbYnAmE
create wrapper.c:
void *gethostbyname(char *name) {
int i = 0;
do {
if (! name[i]) {
return GeThOsTbYnAmE(name);
}
} while (i++ < 200);
return 0;
}
gcc -c wrapper.c
ld -G -o libnsl.so.1 *.o -ldl -lc -lintl -lmp -lw
that's it.
