Bugtraq mailing list archives

Re: Linux NLSPATH buffer overflow

From: alan () LXORGUK UKUU ORG UK (Alan Cox)
Date: Fri, 14 Feb 1997 20:51:02 +0000

I'm sorry if the information I'm going to tell about was already known, but
I hope it wasn't...


Its known, its fixed in current setups

It might be possible to exploit this hole remotely, if using a patched telnet
client which would allow exporting large environment variable values. The
overflow would happen at /bin/login startup then (somewhat like the famous
LD_PRELOAD exploit, but an overflow). I'm not sure of that though, there might
be some restrictions on environment variables in telnetd.


Netkit 0.08/9 telnetd do not pass any environment variables,

As for the fix, well, this is a hard one -- would require re-compiling libc,
and statically linked binaries. To protect yourself against remote attacks,
you could for example change the variable name to something different, with
a hex editor (like /usr/bin/bpe), in /lib/libc.so.5, and ensure the exploit
stopped working. Of course, this is only a temporary fix.


libc5.4 is immune, RedHat has been shipping the fixed libc5.3.12 for a long
time, and all the vendors I had security contacts for where told ages ago.
If they haven't fixed it then Im disappointed with them, they dont have
an excuse. That libc5.3.12 unpatched also has other fun bugs with buffer
overruns in libc some in the BSD stuff akin to the BSD bugs in rcmd() etc.

Alan

Current thread:

Bliss: The Facts, (continued)
- Bliss: The Facts Jared Mauch (Feb 08)
- view-source myst (Feb 08)
- IRIX: Bug in startmidi David Hedley (Feb 09)
  - Re: IRIX: Bug in startmidi Nafees Bin Zafar (Feb 09)
  - Security Advisory: A simple TCP spoofing attack Oliver Friedrichs (Feb 09)
    - Re: Security Advisory: A simple TCP spoofing attack Wietse Venema (Feb 12)
    - buffer overflow in configurable fingerd? M Shariful Anam (Feb 12)
    - Re: buffer overflow in configurable fingerd? Ken Hollis (Feb 12)
    - Security Bulletins Digest Aleph One (Feb 13)
    - Linux NLSPATH buffer overflow solar () IDEAL RU (Feb 13)
    - Re: Linux NLSPATH buffer overflow Alan Cox (Feb 14)
    - CIAC Bulletin H-27: HP-UX vgdisplay Buffer Overrun Vulnerability Aleph One (Feb 15)
    - screen 3.05.02 Khelbin Sunvold (Feb 15)
    - Re: screen 3.05.02 test (Feb 16)
    - Bug in apache httpd 1.1.3 Mihai Ibanescu (Feb 16)
    - Re: Bug in apache httpd 1.1.3 Dean Gaudet (Feb 16)
    - Announce new phf prober release Ray W. Hiltbrand (Feb 17)
    - Re: Announce new phf prober release J. Bouvrie (Feb 17)
    - NT password dictionary attack. Paul Ashton (Feb 18)
    - New CIFS paper up for grabs *Hobbit* (Feb 18)
    - Re: screen 3.05.02 Mr. Cyb (Feb 16)

(Thread continues...)