CVE-2024-33599 - Stack-Based Buffer Overflow in nscd Netgroup Cache 💥

Published: June 2024
Vulnerability Scope: nscd (Name Service Cache Daemon) in glibc (since 2.15)


The Linux world just spotted a serious security hole – CVE-2024-33599. This bug could let attackers crash your server or even run their own code, all thanks to a stack-based buffer overflow flaw in nscd’s netgroup cache. In this post, I’ll explain what’s going on, show a simple proof-of-concept, and tell you what you should do.

👀 What is nscd?

nscd is the Name Service Cache Daemon: it speeds up things like user lookups (getpwnam, getgrnam, or netgroup memberships) on Unix/Linux by caching. It’s built into glibc, the standard library used on most Linux boxes.

⚠️ What’s the Vulnerability?

If too many client requests fill up nscd’s fixed-size cache, new requests (specifically for netgroup data) can overflow a stack buffer and overwrite anything next to it (return addresses, variables, etc.). This is a classic stack-based buffer overflow. It could mean:

* Crashing nscd (denial of service)
* Crashing other programs that depend on it
* Pipeline to remote code execution on some setups (worst case)

Introduced in: glibc 2.15 (February 2012)
Component: Only present in the nscd binary!

> “…a subsequent client request for netgroup data may result in a stack-based buffer overflow.”
>
> — GLIBC Bugzilla #31541

---

Malicious clients “flood” the cache by making many requests

- When cache is full, nscd’s handling for new netgroup queries doesn’t properly check length — it puts too-big answers into a too-small stack buffer during a cache miss, corrupting the stack.

Here’s a boiled down snippet (for educational use only)

// Inside nscd, netgroup cache logic:
char stack_buf[BUF_SIZE];
if (response_size > sizeof(stack_buf)) {
    // Oops! Should bail out, but in old versions, this can overflow:
}
memcpy(stack_buf, cache_response, response_size); // Exploit happens here!

If cache_response is larger than stack_buf, this line corrupts memory!

- Upstream patch commit (proposed)

🛠️ Proof of Concept (PoC) — Memory Crash

Here’s a rough proof-of-concept (do *not* use on production!) showing how repeated netgroup requests could trigger a crash:

# netgroup_crash.py
# Requires: 'getent netgroup' and nscd running
import subprocess

for i in range(10000):
    netgroup = f"testgroup{i}"
    # This floods the nscd netgroup cache
    subprocess.run(["getent", "netgroup", netgroup])
print("Flooded nscd netgroup cache!")
# Now, a netgroup request may trigger the overflow

🚨 Exploit Possibility

*The buffer is on the stack.* Advanced attackers might chain this with other vulnerabilities (like leaking stack addresses, bypassing ASLR) for remote code execution. *But* even a crash/DoS can break services that depend on nscd (like remote logins).

🔗 References

- CVE Record – NVD
- GLIBC Bugzilla #31541
- RedHat security bulletin
- Upstream patch commit (proposed)

TL;DR

CVE-2024-33599 is a stack-based buffer overflow in nscd’s netgroup cache code. If nscd is running, and malicious users can flood netgroup requests, your system might be at risk — Denial of Service is easy; code execution is possible in some configurations. Patch or disable nscd ASAP.

Timeline

Published on: 05/06/2024 20:15:11 UTC
Last modified on: 03/26/2025 21:15:22 UTC