Date: Mon, 2 Oct 1995 23:20:16 -0700 From: Paul Traina <pst@cisco.com> To: security@freebsd.org Subject: [cisco.external.bugtraq] (fwd) NIS library code exposure Message-ID: <199510030620.XAA23494@puli.cisco.com>
next in thread | raw e-mail | index | archive | help
------- Start of forwarded message -------
Path: cronkite.cisco.com!newsgate.cisco.com
From: ccshag@cclabs.missouri.edu ("Paul 'Shag' Walmsley")
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
Newsgroups: cisco.external.bugtraq
Subject: (fwd) NIS library code exposure
Message-ID: <199510020029.TAA06496@sgi6.phlab.missouri.edu>
Date: 01 Oct 1995 16:29:41 PST
Sender: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
Organization: Internet-USENET Gateway at cisco Systems
Lines: 50
X-Authentication-Warning: ghoti.mcom.com: Host localhost didn't use HELO protocol
To: cypherpunks@toad.com
Cc: karlton@netscape.com
Subject: NIS library code exposure
Date: Wed, 27 Sep 1995 21:02:33 -0700
Message-ID: <14539.812260953@ghoti.mcom.com>
From: Phil Karlton <karlton@netscape.com>
Sender: owner-cypherpunks@toad.com
Precedence: bulk
Path: news.missouri.edu!news.sprintlink.net!in1.uu.net!news.xensei.com!hudson.lm.com!mail-news-gateway!not-for-mail
Newsgroups: mail.cypherpunks
Approved: mail-news-gateway@hudson.lm.com
Lines: 31
Once again I speak for myself and not Netscape.
While investigating one of the crashes we ended up decompling some of
the code in the C library. It turns out that in some UNIX systems, the
code in gethostbyname_yp will copy the hostname argument onto a stack
local buffer. That buffer appears to be of size MAXHOSTNAMELEN. [This
is very efficient code at destroying the stack: it does not use strcpy
or sprintf; there is an inline loop copying characters until it finds a
NUL.]
An unstated (in any documentaton I could find) limitation on calls to
gethostbyname is that the "name" parameter must be a limited size
string for it to work at all. I suspect this bug has been in the NIS
(nee YP) code for some time.
Do you have any daemons that run as root and do networking? Are you
sure that all of them check the length of the host name before passing
it to gethostbyname?
[Avoid the fencepost error: MAXHOSTNAMELEN is really the size of the
buffer and not the maximal string length. You need room for the
trailing NUL.]
We have not looked into the networking libraries that are typically
found on a PC or Macintosh. The exposure may also be present there.
PK
--
Philip L. Karlton karlton@netscape.com
Principal Curmudgeon http://www.netscape.com/people/karlton
Netscape Communications Corporation
--
- Paul "Shag" Walmsley <ccshag@cclabs.missouri.edu>
"Praise and blame alike mean nothing." -- Virginia Woolf
------- End of forwarded message -------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199510030620.XAA23494>