Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Security Week: March 30th, 2015
Linux Advisory Watch: March 27th, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

NetBSD: "NIS" buffer overflow Print E-mail
User Rating:      How can I rate this item?
Posted by Team   
NetBSD NIS client nodes may be vulnerable to a remote buffer overflow attack.

                 NetBSD Security Advisory 2000-012

Topic:          buffer overflow in NIS hostname lookup code
Version:        1.4.x: All versions prior to 1.4.3 (fix will be in 1.4.3)
                1.5_ALPHA: prior to June 30, 2000 (fix will be in 1.5)
                current: prior to June 30, 2000
                Applies only if the node uses NIS for hostname lookups
                (the default NetBSD configuration is not vulnerable)
Severity:       Potential for remote root exploit.


NIS client nodes may be vulnerable to a remote buffer overflow
attack.  If the node is configured to use NIS for hostname lookups,
and a rogue NIS server is in a position to respond to a hostname
lookup request, a malformed response could cause a denial of service
due to abnormal program termination.  In the worst case, an account
could be hijacked.

The default installation of NetBSD is not vulnerable, as the NIS
client daemons are not started by default, and the default
/etc/nsswitch.conf file does not use NIS for hostname lookups.

There have been no reports of attacks based on the vulnerability.

Technical Details

The NIS hostname lookup code (in src/lib/libc/net/gethnamaddr.c, in
the _yphostent() function) uses a statically-allocated buffer to hold
IPv4 addresses obtained from the lookup.  The original version failed
to bounds check writes into the buffer.

If a rogue NIS server injects a lookup result with a large number of
matches, the NIS hostname lookup code could overrun the buffer.

The attack is not likely to be effective in practice on otherwise
well-configured systems. However, NIS does not include any form of
authentication, and NIS clients generally trust NIS server data, and a
rogue server could introduce bogus passwd or group entries which may
also allow for a remote compromise of a system; NIS should generally
only be used when the network is separated from the greater Internet
by some sort of firewall.

Solutions and Workarounds

The default installation of NetBSD is not vulnerable.

To check if your node is vulnerable or not, check the "hosts" line in
/etc/nsswitch.conf.  It the line has "nis" on it, your node may be

Note that if either of the "passwd" or "group" lines have "nis" in
them, or if the passwd or group files have an entry for `+', your
system is using NIS for user and/or group lookup and should not be
directly connected to the Internet.

To correct this problem, take one or more of the following actions:

1. Turn NIS hostname lookup off, if appropriate for your installation.
   (Edit /etc/nsswitch.conf, and remove "nis" from the "hosts" line)

2. Upgrade to a more recent version of NetBSD.  If you are using NetBSD prior
   to 1.4.3, it would be a good chance to upgrade.

3. Apply the following patch to your source tree:
   Then rebuild and reinstall libc, and rebuild and reinstall all
   statically linked binaries.

Systems running releases older than NetBSD 1.4 should be upgraded to
NetBSD 1.4.2 before applying the fixes described here.

Systems running NetBSD-current dated from before July 30, 2000 should be
upgraded to NetBSD-current dated July 30, 2000 or later.

Systems running NetBSD-release dated from before August 4, 2000 should be
upgraded to NetBSD-release dated August 4, 2000 or later.

Thanks To

Jun-ichiro itojun Hagino <>

Revision History

        2000/08/04      initial draft
        2000/08/08      revised prior to release.

More Information

Information about NetBSD and NetBSD security can be found at 
http://www.NetBSD.ORG/ and  http://www.NetBSD.ORG/Security/.

Copyright 2000, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2000-012.txt,v 1.3 2000/10/26 14:59:24 sommerfeld Exp $

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Feds Charged With Stealing Money During Silk Road Investigation
EFF questions US government's software flaw disclosure policy
Hotel Router Vulnerability A Reminder Of Untrusted WiFi Risks
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.