Debian Security Advisory

nlspath -- libc NLSPATH buffer overflow

Date Reported:
13 Feb 1997
Affected Packages:
libc5
Vulnerable:
Yes
Security database references:
No other external database security references currently available.
More information:

Original submitter of the report: <solar@ideal.ru>

The [exploit] shellcode is a bit different from the usual one:

  • it does setuid(geteuid()) by itself;
  • easier to modify (no more fixed offsets in shellcode, and the shell name can be changed, too — the length is not fixed);
  • the NULL pointer itself is passed in %edx to the execve syscall, not the pointer to NULL (it seems like a mistake in the Aleph One's article); this doesn't seem to affect anything though.

It might be possible to exploit this hole remotely, if one would use a patched telnet client which would allow exporting large environment variable values. The overflow would happen at /bin/login startup then (somewhat like the famous LD_PRELOAD exploit, but an overflow). I'm not sure of that though, there might be some restrictions on environment variables in telnetd.

Fixed in:
- (in release 1.3)