S.u.S.E. ypbind-mt Format String Vulnerability
BID:1820
Info
S.u.S.E. ypbind-mt Format String Vulnerability
| Bugtraq ID: | 1820 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Oct 18 2000 12:00AM |
| Updated: | Oct 18 2000 12:00AM |
| Credit: | First made public in S.u.S.E. advisory SuSE-SA:2000:042 on Oct 18, 2000. |
| Vulnerable: |
SuSE Linux 7.0 SuSE Linux 6.4 SuSE Linux 6.3 SuSE Linux 6.2 |
| Not Vulnerable: | |
Discussion
S.u.S.E. ypbind-mt Format String Vulnerability
ypbind-mt is a rewrite of the NIS client software by Thorsten Kukuk for S.u.S.E. Linux systems. It has been reported that this version is vulnerable to a possibly remotely exploitable format string attack. The problem has to do with user input being passed as part of the format string argument for a *printf function. It is thus possible for a remote user to construct a format string that can cause the function to overwrite stack variables so that supplied shellcode can be executed. Successful exploitation of this vulnerability would yield root access for the attacker. The exact location of the bug in the ypbind-mt implementation is not known at this time.
ypbind-mt is a rewrite of the NIS client software by Thorsten Kukuk for S.u.S.E. Linux systems. It has been reported that this version is vulnerable to a possibly remotely exploitable format string attack. The problem has to do with user input being passed as part of the format string argument for a *printf function. It is thus possible for a remote user to construct a format string that can cause the function to overwrite stack variables so that supplied shellcode can be executed. Successful exploitation of this vulnerability would yield root access for the attacker. The exact location of the bug in the ypbind-mt implementation is not known at this time.
Exploit / POC
S.u.S.E. ypbind-mt Format String Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
S.u.S.E. ypbind-mt Format String Vulnerability
Solution:
S.u.S.E. has released upgrades that should eliminate this vulnerability.
SuSE Linux 6.2
SuSE Linux 6.3
SuSE Linux 6.4
SuSE Linux 7.0
Solution:
S.u.S.E. has released upgrades that should eliminate this vulnerability.
SuSE Linux 6.2
-
S.u.S.E. 6.2 (i386) ypclient-3.4-95
ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/ypclient-3.4-95.i386.rp m
SuSE Linux 6.3
-
S.u.S.E. 6.3 (alpha) ypclient-3.4-95
ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/ypclient-3.4-95.alpha.rp m -
S.u.S.E. 6.3 (i386) ypclient-3.4-95
ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/ypclient-3.4-95.i386.rp m
SuSE Linux 6.4
-
S.u.S.E. 6.4 (alpha) ypclient-3.4-95
ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/ypclient-3.4-95.alpha.rp m -
S.u.S.E. 6.4 (i386) ypclient-3.4-95
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/ypclient-3.4-95.i386.rp m -
S.u.S.E. 6.4 (ppc) ypclient-3.4-95
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/ypclient-3.4-95.ppc.rpm
SuSE Linux 7.0
-
S.u.S.E. 7.0 (i386) ypclient-3.5-89
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/ypclient-3.5-89.i386.rp m -
S.u.S.E. 7.0 (sparc) ypclient-3.5-89
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/ypclient-3.5-89.sparc. rpm