Debian Security Advisory
nlspath -- libc NLSPATH buffer overflow
- Date Reported:
- 13 Feb 1997
- Affected Packages:
- Security database references:
- No other external database security references currently available.
- More information:
Original submitter of the report: <firstname.lastname@example.org>
The [exploit] shellcode is a bit different from the usual one:
- it does setuid(geteuid()) by itself;
- easier to modify (no more fixed offsets in shellcode, and the shell name can be changed, too — the length is not fixed);
- the NULL pointer itself is passed in %edx to the execve syscall, not the pointer to NULL (it seems like a mistake in the Aleph One's article); this doesn't seem to affect anything though.
It might be possible to exploit this hole remotely, if one would use a patched telnet client which would allow exporting large environment variable values. The overflow would happen at /bin/login startup then (somewhat like the famous LD_PRELOAD exploit, but an overflow). I'm not sure of that though, there might be some restrictions on environment variables in telnetd.
- Fixed in:
- - (in release 1.3)