NIS library code exposure (Unix network exposure)
cort
cort at ecn.purdue.edu
Thu Sep 28 00:11:51 PDT 1995
> [....]
>
> > Do you have any daemons that run as root and do networking? Are you
> > sure that all of them check the length of the host name before passing
> > it to gethostbyname?
>
> [....]
>
> On Linux:
> ping [huge host name] works
> ftp [huge host name] works
> finger [huge host name] works
> nslookup [huge host name] ... CRUNCH (Segmentation fault)
>
Ouch.....!
On Linux:
rsh [huge host name] crashes bad... (file system now corrupted)
The above claims for ping, ftp and finger may be dependent on how
huge is huge. rsh took a very large number (I'm guessing 10 lines,
800 characters) before crashing. Huge was not this huge for the
previous tests.
rsh is usually suid root.
I must quit experimenting now.... and repair my system.
Crypto relevance: little.... some hack relevance, lots of general
system/network security relevance
Cort.
More information about the cypherpunks-legacy
mailing list