Phase:Buffer overflow in Solaris kcms_configure via a long NETPATH environmental variable.
ReferencesBUGTRAQ:Tuesday, November 30, 1999 another hole of Solaris7 kcms_configure | URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38433B7F5A.53F4SHADOWPENGUIN@fox.nightland.net | BID:831 | URL:http://www.securityfocus.com/bid/831
Votes:Proposed (Wednesday, December 08, 1999)
Comments: ACCEPT(2) Armstrong, Stracener | MODIFY(4) Prosser, Cole, Frech, Dik | NOOP(1) Baker | REVIEWING(1) Christey
F7: Cole> This can cause code to be executed. | Frech> XF:sol-kcms-conf-netpath-bo | Dik> the bug has nothing to do with kcms_configure; it's a bug | in libnsl.so. All set-uid executables that trigger this code path are | vulnerable. Sun bug 4295834; fixed in Solaris 8. | Prosser> Okay, I am confused. Based on Casper's comments and checking | on the Sun patch site, I found the 4295834 bug(4295834 NETPATH security | problem in libnsl) fixed in SunOS 5.4, Patch 101974-37(x86) 101973 (sparc). | Multiple libnsl vulnerabilities was first reported in an 98 Sun Bulletin | #00172 for 5.4 up through 2.6. Was this NETPATH a problem that resurfaced | in 7 (looks like in 5.4 as well) and was fixed in 8? | Christey> Need to dig up my offline email on this. | Christey> May be a duplicate of CVE-1999-0321, whose sole reference | (XF:sun-kcms-configure-bo) no longer exists. Also examine | BID:452 and | BUGTRAQ:19981223 Merry Christmas to Sun! (Was: L0pht NFR N-Code | Modules Updated) | | which are the same as XF:sol-kcms-conf-p-bo(3652), which could | be the new name for XF:sun-kcms-configure-bo.