J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: Multiple Vendor libnsl Vulnerabilities

Severity: CRITICAL

Description:

Several buffer overruns exist in the NSL (network services library) of Solaris 2.2, 2.3, 2.4, 2.5, 2.5.1 and 2.6. The potential exists for these buffer overruns being exploitable by an attacker, in order to gain access to a system, or obtain root on the system.

It should be noted, however, that exploits for these attacks have never been seen in the wild, nor is it clear they are exploitable with the would be attacker already having access to the NIS or NIS+ server on the network they are attacking -- at which point, they would be able to access any machine on the network already.

The vulnerable functions are: (taken from RSI advisory)
extract_secret () : Buffer overflows while copying data into a local buffer
getkeys_nis () : Buffer overflows if key value is larger then the buffer
getpublickey () : Calls getkeys_nis ()
getsecretkey () : Calls getkeys_nis ()

authdes_seccreate () : Calls getpublickey ()
rpc_broadcast_exp () : Buffer overflow if allowed to specify network protocol type
rpc_broadcast () : Calls rpc_broadcast_exp ()
clnt_create_timed () : Buffer overflow if allowed to specify network protocol type
host2netname () : Buffer overflow while specifying hostname.
getnetname () : Calls host2netname ()
clnt_create () : Calls clnt_create_timed ()
rpc_call () : Buffer overflow if allowed to specify network protocol type
authdes_pk_seccreate () : Calls getnetname ()

__nis_init_callback () : Calls getpublickey ()
__nis_core_lookup () : Buffer overflow while copying paramaters into a local buffer
nis_make_rpchandle () : Calls host2netname ()
nis_dump_r () : Calls nis_make_rpchandle ()
nis_dump () : Calls nis_dump_r ()
__nis_auth2princ () : Buffer overflow while specifying machine name
__nis_host2nis_server () : Buffer overflow while specifyinghostname
nis_name_of_r () : Buffer overflow while copying paramaters into a local buffer
nis_old_data_r () : Buffer overflow while copying paramaters into a local buffer
nis_list () : Calls __nis_core_lookup ()
nis_add () : Calls nis_nameops ()
nis_remove () : Calls nis_nameops ()
nis_modify () : Calls nis_nameops ()
nis_mkdir () : Calls nis_make_rpchandle ()
nis_rmdir () : Calls nis_make_rpchandle ()

Affected Products:

  • IBM AIX 4.2.0
  • IBM AIX 4.2.1
  • IBM AIX 4.3.0
  • IBM AIX 4.3.1
  • IBM AIX 4.3.2
  • Sun Solaris 2.2.0
  • Sun Solaris 2.3.0
  • Sun Solaris 2.4.0
  • Sun Solaris 2.4.0_x86
  • Sun Solaris 2.5.0
  • Sun Solaris 2.5.0_x86
  • Sun Solaris 2.5.1
  • Sun Solaris 2.5.1_ppc
  • Sun Solaris 2.5.1_x86
  • Sun Solaris 2.6
  • Sun Solaris 2.6_x86

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.