Bugtraq mailing list archives
Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd)
From: bparent () CALVIN UCSD EDU (Brian Parent)
Date: Tue, 4 Mar 1997 16:26:07 -0800
Unfortunately, a system is *not* made safe from this exploit simply by using nis in the nsswitch.conf for the passwd database. It is trivial to modify the exploit to tell it to use "files", regardless of what is in the nsswitch.conf file. :-( Re:
Date: Thu, 27 Feb 1997 23:23:59 +0100 From: Casper Dik <casper () HOLLAND SUN COM> Subject: Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd) To: BUGTRAQ () netspace orgthe exploit did not work. It seems than passwd(1) queries the NIS server and falls into some kind of an infinite loop. Maybe Casper Dik (who, if I remember well, had an explanation for the gethostbyname() case) can explain this better than I can. Can anyone confirm this behavior?Yep, this is a bug in NIS. The NIS clients will send out requests that are too big. The server than drop those requests and never send a reply. (Some real old servers actually crash, I think) The client code keeps on trying and never hits the broken stack frame and you're safe. Casper
Current thread:
- Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd) Brian Parent (Mar 04)