Re: hole in Solaris 2.5[.1] gethostbyname()

[jcmurphy () smurfland cit buffalo edu (Jeff Murphy)]

roger.raimbault () met fr insists:
> Hi,
>  I just received a mail by one of my internal user
>  concerning a hole in the
>  SOLARIS 2.5/2.5.1 gethostbyname() function
>
>   Did U already see something about this ?
>   If yes , which are the conresponding patches
>   to installed or corrections to loaded


there are no patches yet. yes, this is a problem and an exploit was
posted to bugtraq. binaries like rlogin, ping, etc (anything setuid root
that uses gethostbyname()) are vunerable. here is a small "patch" that
someone at our site came up with.

-----------------------------------------------------------------------
Joel Murphy writes:

I hacked up a libnsl with a wrapper around gethostbyname that disallows
buffer overflows.  A lot easier that patching every program that runs
as root, in my opinion.  I called it ~jmurphy/libnsl.so.1.

If you want to do it yourself, basically here is what I did:

mkdir libnsl
cd libnsl
ar x /usr/lib/libnsl.a
emacs gethostent.o    # change gethostbyname symbol to GeThOsTbYnAmE

create wrapper.c:
void *gethostbyname(char *name) {
  int i = 0;
  do {
    if (! name[i]) {
      return GeThOsTbYnAmE(name);
    }
  } while (i++ < 200);
  return 0;
}

gcc -c wrapper.c
ld -G -o libnsl.so.1 *.o -ldl -lc -lintl -lmp -lw

that's it.