Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd)

[casper () HOLLAND SUN COM (Casper Dik)]

> the exploit did not work. It seems than passwd(1) queries the NIS
> server and falls into some kind of an infinite loop. Maybe Casper Dik
> (who, if I remember well, had an explanation for the gethostbyname()
> case) can explain this better than I can.
>
> Can anyone confirm this behavior?


Yep, this is a bug in NIS.  The NIS clients will send out requests that are
too big.  The server than drop those requests and never send a reply.
(Some real old servers actually crash, I think)

The client code keeps on trying and never hits the broken stack frame
and you're safe.

Casper