1995-09-28 - Re: NIS library code exposure (Unix network exposure)

Header Data

From: cort <cort@ecn.purdue.edu>
To: cypherpunks@toad.com
Message Hash: a0631bc989a0cc49c9ad7e868707a00e6061da5977e42380615f297924a1bb97
Message ID: <199509280711.CAA27138@en.ecn.purdue.edu>
Reply To: <199509280613.BAA21957@en.ecn.purdue.edu>
UTC Datetime: 1995-09-28 07:11:51 UTC
Raw Date: Thu, 28 Sep 95 00:11:51 PDT

Raw message

From: cort <cort@ecn.purdue.edu>
Date: Thu, 28 Sep 95 00:11:51 PDT
To: cypherpunks@toad.com
Subject: Re: NIS library code exposure (Unix network exposure)
In-Reply-To: <199509280613.BAA21957@en.ecn.purdue.edu>
Message-ID: <199509280711.CAA27138@en.ecn.purdue.edu>
MIME-Version: 1.0
Content-Type: text


> [....]
> 
> > Do you have any daemons that run as root and do networking? Are you
> > sure that all of them check the length of the host name before passing
> > it to gethostbyname?
> 
> [....]
> 
> On Linux:
> ping [huge host name] works
> ftp [huge host name] works
> finger [huge host name] works
> nslookup [huge host name] ... CRUNCH (Segmentation fault)
> 

Ouch.....!

On Linux:
rsh [huge host name] crashes bad... (file system now corrupted)

The above claims for ping, ftp and finger may be dependent on how
huge is huge.  rsh took a very large number (I'm guessing 10 lines,
800 characters) before crashing.  Huge was not this huge for the
previous tests.

rsh is usually suid root.

I must quit experimenting now.... and repair my system.

Crypto relevance:  little....  some hack relevance, lots of general
                   system/network security relevance

Cort.




Thread