Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd)

[bparent () CALVIN UCSD EDU (Brian Parent)]

Unfortunately, a system is *not* made safe from this exploit simply
by using nis in the nsswitch.conf for the passwd database.
It is trivial to modify the exploit to tell it to use "files", regardless
of what is in the nsswitch.conf file. :-(

Re:
> Date:         Thu, 27 Feb 1997 23:23:59 +0100
> From: Casper Dik <casper () HOLLAND SUN COM>
> Subject:      Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd)
> To: BUGTRAQ () netspace org
>
> > the exploit did not work. It seems than passwd(1) queries the NIS
> > server and falls into some kind of an infinite loop. Maybe Casper Dik
> > (who, if I remember well, had an explanation for the gethostbyname()
> > case) can explain this better than I can.
> >
> > Can anyone confirm this behavior?
>
>
> Yep, this is a bug in NIS.  The NIS clients will send out requests that are
> too big.  The server than drop those requests and never send a reply.
> (Some real old servers actually crash, I think)
>
> The client code keeps on trying and never hits the broken stack frame
> and you're safe.
>
> Casper