[4103] in bugtraq
Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd)
daemon@ATHENA.MIT.EDU (Casper Dik)
Thu Feb 27 19:39:07 1997
Date: Thu, 27 Feb 1997 23:23:59 +0100
Reply-To: Casper Dik <casper@HOLLAND.SUN.COM>
From: Casper Dik <casper@HOLLAND.SUN.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Thu, 27 Feb 1997 19:44:57 +0200."
<199702271744.TAA07013@cc.ece.ntua.gr>
>the exploit did not work. It seems than passwd(1) queries the NIS
>server and falls into some kind of an infinite loop. Maybe Casper Dik
>(who, if I remember well, had an explanation for the gethostbyname()
>case) can explain this better than I can.
>
>Can anyone confirm this behavior?
Yep, this is a bug in NIS. The NIS clients will send out requests that are
too big. The server than drop those requests and never send a reply.
(Some real old servers actually crash, I think)
The client code keeps on trying and never hits the broken stack frame
and you're safe.
Casper
