Operating System:

[NetBSD]

Published:

26 October 2000

Protect yourself against future threats.

//Service

Malicious URL Feed

Add this Australian-based feed to your firewall blacklist and SIEM to prevent compromises to your network.

Read more
Resources > Security Bulletins > ESB-2000.313 

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
              AUSCERT External Security Bulletin Redistribution
                             
              ESB-2000.313 -- NetBSD Security Advisory 2000-012
                 buffer overflow in NIS hostname lookup code
                               27 October 2000

===========================================================================

	AusCERT Security Bulletin Summary
	---------------------------------

Product:                NIS hostname lookup code
Vendor:                 NetBSD
Operating System:       NetBSD
Impact:                 Root Compromise
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

                 NetBSD Security Advisory 2000-012
                 =================================

Topic:		buffer overflow in NIS hostname lookup code
Version:	1.4.x: All versions prior to 1.4.3 (fix will be in 1.4.3)
		1.5_ALPHA: prior to June 30, 2000 (fix will be in 1.5)
		current: prior to June 30, 2000
		Applies only if the node uses NIS for hostname lookups
		(the default NetBSD configuration is not vulnerable)
Severity:	Potential for remote root exploit.


Abstract
========

NIS client nodes may be vulnerable to a remote buffer overflow
attack.  If the node is configured to use NIS for hostname lookups,
and a rogue NIS server is in a position to respond to a hostname
lookup request, a malformed response could cause a denial of service
due to abnormal program termination.  In the worst case, an account
could be hijacked.

The default installation of NetBSD is not vulnerable, as the NIS
client daemons are not started by default, and the default
/etc/nsswitch.conf file does not use NIS for hostname lookups.

There have been no reports of attacks based on the vulnerability.


Technical Details
=================

The NIS hostname lookup code (in src/lib/libc/net/gethnamaddr.c, in
the _yphostent() function) uses a statically-allocated buffer to hold
IPv4 addresses obtained from the lookup.  The original version failed
to bounds check writes into the buffer.

If a rogue NIS server injects a lookup result with a large number of
matches, the NIS hostname lookup code could overrun the buffer.

The attack is not likely to be effective in practice on otherwise
well-configured systems. However, NIS does not include any form of
authentication, and NIS clients generally trust NIS server data, and a
rogue server could introduce bogus passwd or group entries which may
also allow for a remote compromise of a system; NIS should generally
only be used when the network is separated from the greater Internet
by some sort of firewall.

Solutions and Workarounds
=========================

The default installation of NetBSD is not vulnerable.

To check if your node is vulnerable or not, check the "hosts" line in
/etc/nsswitch.conf.  It the line has "nis" on it, your node may be
vulnerable.  

Note that if either of the "passwd" or "group" lines have "nis" in
them, or if the passwd or group files have an entry for `+', your
system is using NIS for user and/or group lookup and should not be
directly connected to the Internet.

To correct this problem, take one or more of the following actions:

1. Turn NIS hostname lookup off, if appropriate for your installation.
   (Edit /etc/nsswitch.conf, and remove "nis" from the "hosts" line)

2. Upgrade to a more recent version of NetBSD.  If you are using NetBSD prior
   to 1.4.3, it would be a good chance to upgrade.

3. Apply the following patch to your source tree:
	ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000808-nis
   Then rebuild and reinstall libc, and rebuild and reinstall all
   statically linked binaries.

Systems running releases older than NetBSD 1.4 should be upgraded to
NetBSD 1.4.2 before applying the fixes described here.

Systems running NetBSD-current dated from before July 30, 2000 should be
upgraded to NetBSD-current dated July 30, 2000 or later.

Systems running NetBSD-release dated from before August 4, 2000 should be
upgraded to NetBSD-release dated August 4, 2000 or later.

Thanks To
=========

Jun-ichiro itojun Hagino <itojun@netbsd.org>


Revision History
================

	2000/08/04	initial draft
	2000/08/08	revised prior to release.


More Information
================

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2000, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2000-012.txt,v 1.3 2000/10/26 14:59:24 sommerfeld Exp $

- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBOfhInz5Ru2/4N2IFAQG2NAQAocFiLdPiBf/ZyOi42XZ25QHCUetj/MtL
nC/XDrxOUqSZ0KYuBxwHngqvyCPdbuWdrCzlBGC1R+doyi2ae+OgoJwI8L2mMs0/
2pgABddTWBFQacaHe5LwvbeRXVv6vI+LzuRUvRVQ7GPUK/hvuzUfJDEbToidJWZB
D4iqGgLgXA4=
=VR4V
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOlSNHSh9+71yA2DNAQG+wwP/RG8Xb3dtfYbRxB21qbgxfn0PEg5lnFy6
wmWw2vwj5cNNmL+wntAuudR5Sq8m9r8AG2MT6jMO2fMekpDLwBMY2Bmdkh0YMBz8
MT2WXl4t1tr0hsAtSf2l2326o5UEbytxTsLXS76VT3mnQKEgj1nF0InlvlqzOsss
OffFtPCwoZ4=
=2jPs
-----END PGP SIGNATURE-----