Security Information / 1997 / Security Information -- nlspath

Debian Security Advisory

nlspath -- libc NLSPATH buffer overflow

Date Reported:

13 Feb 1997

Affected Packages:

libc5

Vulnerable:

Yes

Security database references:

No other external database security references currently available.

More information:

Original submitter of the report: <solar@ideal.ru>

The [exploit] shellcode is a bit different from the usual one:

• it does setuid(geteuid()) by itself;
• easier to modify (no more fixed offsets in shellcode, and the shell name can be changed, too — the length is not fixed);
• the NULL pointer itself is passed in %edx to the execve syscall, not the pointer to NULL (it seems like a mistake in the Aleph One's article); this doesn't seem to affect anything though.

It might be possible to exploit this hole remotely, if one would use a patched telnet client which would allow exporting large environment variable values. The overflow would happen at /bin/login startup then (somewhat like the famous LD_PRELOAD exploit, but an overflow). I'm not sure of that though, there might be some restrictions on environment variables in telnetd.

Fixed in:

- (in release 1.3)