[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NIS library code exposure (Unix network exposure)

To: [email protected]
Subject: Re: NIS library code exposure (Unix network exposure)
From: cort <[email protected]>
Date: Thu, 28 Sep 1995 02:11:34 -0500 (EST)
In-Reply-To: <[email protected]> from "cort" at Sep 28, 95 01:13:03 am
Sender: [email protected]

> [....]
> 
> > Do you have any daemons that run as root and do networking? Are you
> > sure that all of them check the length of the host name before passing
> > it to gethostbyname?
> 
> [....]
> 
> On Linux:
> ping [huge host name] works
> ftp [huge host name] works
> finger [huge host name] works
> nslookup [huge host name] ... CRUNCH (Segmentation fault)
> 

Ouch.....!

On Linux:
rsh [huge host name] crashes bad... (file system now corrupted)

The above claims for ping, ftp and finger may be dependent on how
huge is huge.  rsh took a very large number (I'm guessing 10 lines,
800 characters) before crashing.  Huge was not this huge for the
previous tests.

rsh is usually suid root.

I must quit experimenting now.... and repair my system.

Crypto relevance:  little....  some hack relevance, lots of general
                   system/network security relevance

Cort.

References:
- Re: NIS library code exposure (Unix network exposure)
  - From: cort <[email protected]>

Prev by Date: Re: X.509, S/MIME, and evolution of PGP
Next by Date: Re: Another Netscape Bug (and possible security hole)
Prev by thread: Re: NIS library code exposure (Unix network exposure)
Next by thread: Looking for advice.
Index(es):
- Date
- Thread