Bugtraq mailing list archives
Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd)
From: casper () HOLLAND SUN COM (Casper Dik)
Date: Thu, 27 Feb 1997 23:23:59 +0100
the exploit did not work. It seems than passwd(1) queries the NIS server and falls into some kind of an infinite loop. Maybe Casper Dik (who, if I remember well, had an explanation for the gethostbyname() case) can explain this better than I can. Can anyone confirm this behavior?
Yep, this is a bug in NIS. The NIS clients will send out requests that are too big. The server than drop those requests and never send a reply. (Some real old servers actually crash, I think) The client code keeps on trying and never hits the broken stack frame and you're safe. Casper
Current thread:
- Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd) Aggelos P. Varvitsiotis (Feb 27)
- Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd) Casper Dik (Feb 27)
- L0pht: Kerberos 4 Attack tool Gary McGraw (Feb 27)