-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2000-012 ================================= Topic: buffer overflow in NIS hostname lookup code Version: 1.4.x: All versions prior to 1.4.3 (fix will be in 1.4.3) 1.5_ALPHA: prior to June 30, 2000 (fix will be in 1.5) current: prior to June 30, 2000 Applies only if the node uses NIS for hostname lookups (the default NetBSD configuration is not vulnerable) Severity: Potential for remote root exploit. Abstract ======== NIS client nodes may be vulnerable to a remote buffer overflow attack. If the node is configured to use NIS for hostname lookups, and a rogue NIS server is in a position to respond to a hostname lookup request, a malformed response could cause a denial of service due to abnormal program termination. In the worst case, an account could be hijacked. The default installation of NetBSD is not vulnerable, as the NIS client daemons are not started by default, and the default /etc/nsswitch.conf file does not use NIS for hostname lookups. There have been no reports of attacks based on the vulnerability. Technical Details ================= The NIS hostname lookup code (in src/lib/libc/net/gethnamaddr.c, in the _yphostent() function) uses a statically-allocated buffer to hold IPv4 addresses obtained from the lookup. The original version failed to bounds check writes into the buffer. If a rogue NIS server injects a lookup result with a large number of matches, the NIS hostname lookup code could overrun the buffer. The attack is not likely to be effective in practice on otherwise well-configured systems. However, NIS does not include any form of authentication, and NIS clients generally trust NIS server data, and a rogue server could introduce bogus passwd or group entries which may also allow for a remote compromise of a system; NIS should generally only be used when the network is separated from the greater Internet by some sort of firewall. Solutions and Workarounds ========================= The default installation of NetBSD is not vulnerable. To check if your node is vulnerable or not, check the "hosts" line in /etc/nsswitch.conf. It the line has "nis" on it, your node may be vulnerable. Note that if either of the "passwd" or "group" lines have "nis" in them, or if the passwd or group files have an entry for `+', your system is using NIS for user and/or group lookup and should not be directly connected to the Internet. To correct this problem, take one or more of the following actions: 1. Turn NIS hostname lookup off, if appropriate for your installation. (Edit /etc/nsswitch.conf, and remove "nis" from the "hosts" line) 2. Upgrade to a more recent version of NetBSD. If you are using NetBSD prior to 1.4.3, it would be a good chance to upgrade. 3. Apply the following patch to your source tree: ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000808-nis Then rebuild and reinstall libc, and rebuild and reinstall all statically linked binaries. Systems running releases older than NetBSD 1.4 should be upgraded to NetBSD 1.4.2 before applying the fixes described here. Systems running NetBSD-current dated from before July 30, 2000 should be upgraded to NetBSD-current dated July 30, 2000 or later. Systems running NetBSD-release dated from before August 4, 2000 should be upgraded to NetBSD-release dated August 4, 2000 or later. Thanks To ========= Jun-ichiro itojun Hagino Revision History ================ 2000/08/04 initial draft 2000/08/08 revised prior to release. More Information ================ Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2000, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2000-012.txt,v 1.3 2000/10/26 14:59:24 sommerfeld Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBOfhInz5Ru2/4N2IFAQG2NAQAocFiLdPiBf/ZyOi42XZ25QHCUetj/MtL nC/XDrxOUqSZ0KYuBxwHngqvyCPdbuWdrCzlBGC1R+doyi2ae+OgoJwI8L2mMs0/ 2pgABddTWBFQacaHe5LwvbeRXVv6vI+LzuRUvRVQ7GPUK/hvuzUfJDEbToidJWZB D4iqGgLgXA4= =VR4V -----END PGP SIGNATURE-----