Bugtraq mailing list archives
(fwd) NIS library code exposure
From: ccshag () cclabs missouri edu (Paul 'Shag' Walmsley)
Date: Sun, 1 Oct 1995 19:29:41 -0500
X-Authentication-Warning: ghoti.mcom.com: Host localhost didn't use HELO protocol To: cypherpunks () toad com Cc: karlton () netscape com Subject: NIS library code exposure Date: Wed, 27 Sep 1995 21:02:33 -0700 Message-ID: <14539.812260953 () ghoti mcom com> From: Phil Karlton <karlton () netscape com> Sender: owner-cypherpunks () toad com Precedence: bulk Path: news.missouri.edu!news.sprintlink.net!in1.uu.net!news.xensei.com!hudson.lm.com!mail-news-gateway!not-for-mail Newsgroups: mail.cypherpunks Approved: mail-news-gateway () hudson lm com Lines: 31 Once again I speak for myself and not Netscape. While investigating one of the crashes we ended up decompling some of the code in the C library. It turns out that in some UNIX systems, the code in gethostbyname_yp will copy the hostname argument onto a stack local buffer. That buffer appears to be of size MAXHOSTNAMELEN. [This is very efficient code at destroying the stack: it does not use strcpy or sprintf; there is an inline loop copying characters until it finds a NUL.] An unstated (in any documentaton I could find) limitation on calls to gethostbyname is that the "name" parameter must be a limited size string for it to work at all. I suspect this bug has been in the NIS (nee YP) code for some time. Do you have any daemons that run as root and do networking? Are you sure that all of them check the length of the host name before passing it to gethostbyname? [Avoid the fencepost error: MAXHOSTNAMELEN is really the size of the buffer and not the maximal string length. You need room for the trailing NUL.] We have not looked into the networking libraries that are typically found on a PC or Macintosh. The exposure may also be present there. PK -- Philip L. Karlton karlton () netscape com Principal Curmudgeon http://www.netscape.com/people/karlton Netscape Communications Corporation -- - Paul "Shag" Walmsley <ccshag () cclabs missouri edu> "Praise and blame alike mean nothing." -- Virginia Woolf
Current thread:
- (fwd) NIS library code exposure Paul 'Shag' Walmsley (Oct 01)