CVE-1999-0767

Vulnerability

A buffer overflow exists in Solaris libc, ufsrestore, and rcp when the LC_MESSAGES environment variable is set to an overly long value. This affects unpatched Solaris systems (exact versions not specified in the reference). The overflow occurs during message catalog lookup processing [1].

Exploitation

An attacker with local access or the ability to set environment variables (e.g., via a crafted telnet client that passes environment variables to /bin/login) can trigger the overflow. The reference notes that standard telnet daemons like Netkit 0.08/9 do not pass environment variables, but a custom telnet client could exploit this remotely. The attacker must set LC_MESSAGES to a specially crafted long string before executing the vulnerable program [1].

Impact

Successful exploitation can lead to arbitrary code execution with the privileges of the vulnerable process (e.g., root if ufsrestore or rcp run with elevated privileges). This results in full system compromise, including privilege escalation [1].

Mitigation

Red Hat shipped a fixed libc5.3.12 and libc5.4 is immune; other vendors were notified. Solaris users should apply vendor patches for libc, ufsrestore, and rcp. If no patch is available, restricting environment variable passing through network services (e.g., disabling telnet) can reduce risk. The reference suggests a temporary workaround: renaming the LC_MESSAGES variable in the library binary [1].