• info
• discussion
• exploit
• solution
• references

Multiple Vendor libnsl Vulnerabilities

Several buffer overruns exist in the NSL (network services library) of Solaris 2.2, 2.3, 2.4, 2.5, 2.5.1 and 2.6. The potential exists for these buffer overruns being exploitable by an attacker, in order to gain access to a system, or obtain root on the system.

It should be noted, however, that exploits for these attacks have never been seen in the wild, nor is it clear they are exploitable with the would be attacker already having access to the NIS or NIS+ server on the network they are attacking -- at which point, they would be able to access any machine on the network already.

The vulnerable functions are: (taken from RSI advisory)
extract_secret () : Buffer overflows while copying data into a local buffer
getkeys_nis () : Buffer overflows if key value is larger then the buffer
getpublickey () : Calls getkeys_nis ()
getsecretkey () : Calls getkeys_nis ()

authdes_seccreate () : Calls getpublickey ()
rpc_broadcast_exp () : Buffer overflow if allowed to specify network protocol type
rpc_broadcast () : Calls rpc_broadcast_exp ()
clnt_create_timed () : Buffer overflow if allowed to specify network protocol type
host2netname () : Buffer overflow while specifying hostname.
getnetname () : Calls host2netname ()
clnt_create () : Calls clnt_create_timed ()
rpc_call () : Buffer overflow if allowed to specify network protocol type
authdes_pk_seccreate () : Calls getnetname ()

__nis_init_callback () : Calls getpublickey ()
__nis_core_lookup () : Buffer overflow while copying paramaters into a local buffer
nis_make_rpchandle () : Calls host2netname ()
nis_dump_r () : Calls nis_make_rpchandle ()
nis_dump () : Calls nis_dump_r ()
__nis_auth2princ () : Buffer overflow while specifying machine name
__nis_host2nis_server () : Buffer overflow while specifyinghostname
nis_name_of_r () : Buffer overflow while copying paramaters into a local buffer
nis_old_data_r () : Buffer overflow while copying paramaters into a local buffer
nis_list () : Calls __nis_core_lookup ()
nis_add () : Calls nis_nameops ()
nis_remove () : Calls nis_nameops ()
nis_modify () : Calls nis_nameops ()
nis_mkdir () : Calls nis_make_rpchandle ()
nis_rmdir () : Calls nis_make_rpchandle ()