Headline
CVE-1999-0767: 'Re: Linux NLSPATH buffer overflow'
Buffer overflow in Solaris libc, ufsrestore, and rcp via LC_MESSAGES environmental variable.
[prev in list] [next in list] [prev in thread] [next in thread] List: bugtraq Subject: Re: Linux NLSPATH buffer overflow From: Alan Cox <alan () LXORGUK ! UKUU ! ORG ! UK> Date: 1997-02-14 20:51:02 [Download RAW message or body]
I’m sorry if the information I’m going to tell about was already known, but I hope it wasn’t…
Its known, its fixed in current setups
It might be possible to exploit this hole remotely, if using a patched telnet client which would allow exporting large environment variable values. The overflow would happen at /bin/login startup then (somewhat like the famous LD_PRELOAD exploit, but an overflow). I’m not sure of that though, there might be some restrictions on environment variables in telnetd.
Netkit 0.08/9 telnetd do not pass any environment variables,
As for the fix, well, this is a hard one – would require re-compiling libc, and statically linked binaries. To protect yourself against remote attacks, you could for example change the variable name to something different, with a hex editor (like /usr/bin/bpe), in /lib/libc.so.5, and ensure the exploit stopped working. Of course, this is only a temporary fix.
libc5.4 is immune, RedHat has been shipping the fixed libc5.3.12 for a long time, and all the vendors I had security contacts for where told ages ago. If they haven’t fixed it then Im disappointed with them, they dont have an excuse. That libc5.3.12 unpatched also has other fun bugs with buffer overruns in libc some in the BSD stuff akin to the BSD bugs in rcmd() etc.
Alan
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic