1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94
|
Rule:
--
Sid:
2025
--
Summary:
A user can change their password for Network Information Services (NIS)
using the ypasswd command. A vulnerability exists in ypasswd where
an overly long username can cause a buffer overflow resulting in
unauthorized access to the remote machine.
--
Impact:
Unauthorized super user access to the vulnerable host resulting in a
compromise of all data on the host and any network resources that host
is connected to. Full control of the victim is gained.
--
Detailed Information:
The rpc.ypasswd service processes all password changes from
ypasswd. Supplying a specially crafted request to a NIS server
running this daemon in the form of a long username, the attacker can
cause a buffer overflow in that process.
Since all master servers handling NIS resources run this daemon, the
resulting root access affects all NIS resources available on the LAN.
An exploit for this vulnerability exists, hosts that have been
compromised using this vulnerability typically display two instances of
inetd running at the same time. The result of the exploit is a root
shell attached to port 77 of the host.
--
Affected Systems:
Caldera OpenServer 5.0.5
Caldera OpenServer 5.0.6
Solaris 2.6
Solaris 7
Solaris 8
--
Attack Scenarios:
The attacker needs to craft a specially formulated request to the
rpc.ypasswd service containing a long username. An exploit for this
vulnerability exists.
--
Ease of Attack:
Simple
--
False Positives:
None Known
--
False Negatives:
None Known
--
Corrective Action:
Apply pacthes for the affected systems as soon as possible.
Disable the rpc.ypasswd daemon.
Disallow all RPC requests from external sources and use a firewall to
block access to RPC ports from outside the LAN.
--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
--
Additional References:
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0779
CIAC:
http://www.ciac.org/ciac/bulletins/m-008.shtml
Bugtraq:
http://www.securityfocus.com/bid/2763
Security Focus Mailing List Archive:
http://www.securityfocus.com/archive/1/187086
CERT:
http://www.kb.cert.org/vuls/id/327281
--
|