[4122] in bugtraq
Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd)
daemon@ATHENA.MIT.EDU (Brian Parent)
Tue Mar 4 20:47:34 1997
Date: Tue, 4 Mar 1997 16:26:07 -0800
Reply-To: Brian Parent <bparent@CALVIN.UCSD.EDU>
From: Brian Parent <bparent@CALVIN.UCSD.EDU>
X-To: casper@HOLLAND.SUN.COM
To: BUGTRAQ@netspace.org
In-Reply-To: <199702272224.XAA27150@albano> from Casper Dik at "Feb 27,
97 11:23:59 pm"
Unfortunately, a system is *not* made safe from this exploit simply
by using nis in the nsswitch.conf for the passwd database.
It is trivial to modify the exploit to tell it to use "files", regardless
of what is in the nsswitch.conf file. :-(
Re:
> Date: Thu, 27 Feb 1997 23:23:59 +0100
> From: Casper Dik <casper@HOLLAND.SUN.COM>
> Subject: Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd)
> To: BUGTRAQ@netspace.org
>
> >the exploit did not work. It seems than passwd(1) queries the NIS
> >server and falls into some kind of an infinite loop. Maybe Casper Dik
> >(who, if I remember well, had an explanation for the gethostbyname()
> >case) can explain this better than I can.
> >
> >Can anyone confirm this behavior?
>
>
> Yep, this is a bug in NIS. The NIS clients will send out requests that are
> too big. The server than drop those requests and never send a reply.
> (Some real old servers actually crash, I think)
>
> The client code keeps on trying and never hits the broken stack frame
> and you're safe.
>
> Casper
>
