Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

(fwd) NIS library code exposure

From: ccshag () cclabs missouri edu (Paul 'Shag' Walmsley)
Date: Sun, 1 Oct 1995 19:29:41 -0500

X-Authentication-Warning: ghoti.mcom.com: Host localhost didn't use HELO protocol
To: cypherpunks () toad com
Cc: karlton () netscape com
Subject: NIS library code exposure
Date: Wed, 27 Sep 1995 21:02:33 -0700
Message-ID: <14539.812260953 () ghoti mcom com>
From: Phil Karlton <karlton () netscape com>
Sender: owner-cypherpunks () toad com
Precedence: bulk
Path: news.missouri.edu!news.sprintlink.net!in1.uu.net!news.xensei.com!hudson.lm.com!mail-news-gateway!not-for-mail
Newsgroups: mail.cypherpunks
Approved: mail-news-gateway () hudson lm com
Lines: 31

Once again I speak for myself and not Netscape.

While investigating one of the crashes we ended up decompling some of
the code in the C library. It turns out that in some UNIX systems, the
code in gethostbyname_yp will copy the hostname argument onto a stack
local buffer. That buffer appears to be of size MAXHOSTNAMELEN. [This
is very efficient code at destroying the stack: it does not use strcpy
or sprintf; there is an inline loop copying characters until it finds a
NUL.]

An unstated (in any documentaton I could find) limitation on calls to
gethostbyname is that the "name" parameter must be a limited size
string for it to work at all. I suspect this bug has been in the NIS
(nee YP) code for some time.

Do you have any daemons that run as root and do networking? Are you
sure that all of them check the length of the host name before passing
it to gethostbyname?

[Avoid the fencepost error: MAXHOSTNAMELEN is really the size of the
buffer and not the maximal string length. You need room for the
trailing NUL.]

We have not looked into the networking libraries that are typically
found on a PC or Macintosh. The exposure may also be present there.

PK
--
Philip L. Karlton                       karlton () netscape com
Principal Curmudgeon                    http://www.netscape.com/people/karlton
Netscape Communications Corporation

--

- Paul "Shag" Walmsley <ccshag () cclabs missouri edu>
  "Praise and blame alike mean nothing." -- Virginia Woolf
Previous By Date Next
Previous By Thread Next

Current thread: