Bugtraq mailing list archives
Re: hole in Solaris 2.5[.1] gethostbyname()
From: jcmurphy () smurfland cit buffalo edu (Jeff Murphy)
Date: Tue, 19 Nov 1996 08:58:36 -0500
roger.raimbault () met fr insists:
Hi, I just received a mail by one of my internal user concerning a hole in the SOLARIS 2.5/2.5.1 gethostbyname() function Did U already see something about this ? If yes , which are the conresponding patches to installed or corrections to loaded
there are no patches yet. yes, this is a problem and an exploit was posted to bugtraq. binaries like rlogin, ping, etc (anything setuid root that uses gethostbyname()) are vunerable. here is a small "patch" that someone at our site came up with. ----------------------------------------------------------------------- Joel Murphy writes: I hacked up a libnsl with a wrapper around gethostbyname that disallows buffer overflows. A lot easier that patching every program that runs as root, in my opinion. I called it ~jmurphy/libnsl.so.1. If you want to do it yourself, basically here is what I did: mkdir libnsl cd libnsl ar x /usr/lib/libnsl.a emacs gethostent.o # change gethostbyname symbol to GeThOsTbYnAmE create wrapper.c: void *gethostbyname(char *name) { int i = 0; do { if (! name[i]) { return GeThOsTbYnAmE(name); } } while (i++ < 200); return 0; } gcc -c wrapper.c ld -G -o libnsl.so.1 *.o -ldl -lc -lintl -lmp -lw that's it.
Current thread:
- Re: hole in Solaris 2.5[.1] gethostbyname() Jeff Murphy (Nov 19)