File: 2029.txt

package info (click to toggle)
snort 2.9.7.0-5
  • links: PTS, VCS
  • area: main
  • in suites: buster, sid, stretch
  • size: 55,000 kB
  • ctags: 38,464
  • sloc: ansic: 266,667; sh: 12,508; makefile: 2,908; yacc: 497; perl: 496; lex: 261; sed: 14
file content (88 lines) | stat: -rw-r--r-- 2,095 bytes parent folder | download | duplicates (4)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
Rule:

--
Sid:
2029

--
Summary:
A user can change their password for Network Information Services (NIS) 
using the ypasswd command. A vulnerability exists in ypasswd where
an overly long username can cause a buffer overflow resulting in 
unauthorized access to the remote machine.

--
Impact:
Unauthorized super user access to the vulnerable host resulting in a 
compromise of all data on the host and any network resources that host 
is connected to. Full control of the victim is gained.

--
Detailed Information:
The rpc.ypasswd service processes all password changes from 
ypasswd. Supplying a specially crafted request to a NIS server 
running this daemon in the form of a long username, the attacker can 
cause a buffer overflow in that process.

Since all master servers handling NIS resources run this daemon, the 
resulting root access affects all NIS resources available on the LAN.

An exploit for this vulnerability exists, hosts that have been 
compromised using this vulnerability typically display two instances of 
inetd running at the same time. The result of the exploit is a root 
shell attached to port 77 of the host.

--
Affected Systems:
	Caldera OpenServer 5.0.5
	Caldera OpenServer 5.0.6
	Solaris 2.6
	Solaris 7
	Solaris 8

--
Attack Scenarios:
The attacker needs to craft a specially formulated request to the 
rpc.ypasswd service containing a long username. An exploit for this 
vulnerability exists.

--
Ease of Attack:
Simple

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Apply pacthes for the affected systems as soon as possible.

Disable the rpc.ypasswd daemon.

Disallow all RPC requests from external sources and use a firewall to 
block access to RPC ports from outside the LAN.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

CIAC:
http://www.ciac.org/ciac/bulletins/m-008.shtml

Security Focus Mailing List Archive:
http://www.securityfocus.com/archive/1/187086

CERT:
http://www.kb.cert.org/vuls/id/327281

--