COMMAND
libnsl
SYSTEMS AFFECTED
Solaris 2.2, 2.3, 2.4, 2.5, 2.5.1, 2.6 (sparc and x86)
PROBLEM
Following info is based on RSI Advisory (#5). Vulberability was
discovered by Matt Conover. Several buffer overflows exist in Sun
Microsystem's libnsl networking library. While overwriting the
buffer, the attacker can manipulate the stack and execute their
own commands, possibly gaining root access on your server.
Functions we have found vulnerable:
Vulnerable key functions:
-------------------------
extract_secret () : Buffer overflows while copying
data into a local buffer
getkeys_nis () : Buffer overflows if key value
is larger then the buffer
getpublickey () : Calls getkeys_nis ()
getsecretkey () : Calls getkeys_nis ()
Vulnerable RPC functions:
-------------------------
authdes_seccreate () : Calls getpublickey ()
rpc_broadcast_exp () : Buffer overflow if allowed to
specify network protocol type
rpc_broadcast () : Calls rpc_broadcast_exp ()
clnt_create_timed () : Buffer overflow if allowed to
specify network protocol type
host2netname () : Buffer overflow while specifying
hostname.
getnetname () : Calls host2netname ()
clnt_create () : Calls clnt_create_timed ()
rpc_call () : Buffer overflow if allowed to
specify network protocol type
authdes_pk_seccreate () : Calls getnetname ()
Vulnerable NIS functions:
-------------------------
__nis_init_callback () : Calls getpublickey ()
__nis_core_lookup () : Buffer overflow while copying
paramaters into a local buffer
nis_make_rpchandle () : Calls host2netname ()
nis_dump_r () : Calls nis_make_rpchandle ()
nis_dump () : Calls nis_dump_r ()
__nis_auth2princ () : Buffer overflow while specifying
machine name
__nis_host2nis_server (): Buffer overflow while specifying
hostname
nis_name_of_r () : Buffer overflow while copying
paramaters into a local buffer
nis_old_data_r () : Buffer overflow while copying
paramaters into a local buffer
nis_list () : Calls __nis_core_lookup ()
nis_add () : Calls nis_nameops ()
nis_remove () : Calls nis_nameops ()
nis_modify () : Calls nis_nameops ()
nis_mkdir () : Calls nis_make_rpchandle ()
nis_rmdir () : Calls nis_make_rpchandle ()
Potentially vulnerable programs:
Calls vulnerable RPC functions:
-------------------------------
1. nfs mount
2. nfs share
3. rpc.rexd
4. autofs
Calls vulnerable key functions:
-------------------------------
1. chkey
2. keylogin
3. setkey
4. newkey
5. keyserv
6. libscheme
Calls vulnerable NIS functions:
-------------------------------
1. rpc.nisd
2. rpc.nisdpasswdd
3. nisping
4. nisaddent
5. nisupdkeys
6. nisaddcred
7. sendmail
8. volcheck
9. vold
Calls vulnerable YP functions:
------------------------------
1. vacation
2. ypwhich
3. yppush
SOLUTION
The current patch list for this problem by OS is below.
SunOS 5.6 105401-14
SunOS 5.6_x86 105402-14
SunOS 5.5.1 103612-43
SunOS 5.5.1_x86 103613-43
SunOS 5.5 103187-39
SunOS 5.5_x86 103188-39
SunOS 5.4 101973-36
SunOS 5.4_x86 101974-36
SunOS 5.3 101318-91 (to be released soon)