Home page logo

bugtraq logo Bugtraq mailing list archives

Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd)
From: casper () HOLLAND SUN COM (Casper Dik)
Date: Thu, 27 Feb 1997 23:23:59 +0100

the exploit did not work. It seems than passwd(1) queries the NIS
server and falls into some kind of an infinite loop. Maybe Casper Dik
(who, if I remember well, had an explanation for the gethostbyname()
case) can explain this better than I can.

Can anyone confirm this behavior?

Yep, this is a bug in NIS.  The NIS clients will send out requests that are
too big.  The server than drop those requests and never send a reply.
(Some real old servers actually crash, I think)

The client code keeps on trying and never hits the broken stack frame
and you're safe.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]