[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NIS library code exposure (Unix network exposure)



> [....]
> 
> > Do you have any daemons that run as root and do networking? Are you
> > sure that all of them check the length of the host name before passing
> > it to gethostbyname?
> 
> [....]
> 
> On Linux:
> ping [huge host name] works
> ftp [huge host name] works
> finger [huge host name] works
> nslookup [huge host name] ... CRUNCH (Segmentation fault)
> 

Ouch.....!

On Linux:
rsh [huge host name] crashes bad... (file system now corrupted)

The above claims for ping, ftp and finger may be dependent on how
huge is huge.  rsh took a very large number (I'm guessing 10 lines,
800 characters) before crashing.  Huge was not this huge for the
previous tests.

rsh is usually suid root.

I must quit experimenting now.... and repair my system.

Crypto relevance:  little....  some hack relevance, lots of general
                   system/network security relevance

Cort.