mailing list archives
Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd)
From: casper () HOLLAND SUN COM (Casper Dik)
Date: Thu, 27 Feb 1997 23:23:59 +0100
the exploit did not work. It seems than passwd(1) queries the NIS
server and falls into some kind of an infinite loop. Maybe Casper Dik
(who, if I remember well, had an explanation for the gethostbyname()
case) can explain this better than I can.
Can anyone confirm this behavior?
Yep, this is a bug in NIS. The NIS clients will send out requests that are
too big. The server than drop those requests and never send a reply.
(Some real old servers actually crash, I think)
The client code keeps on trying and never hits the broken stack frame
and you're safe.