[621] in linux-security and linux-alert archive
[linux-security] BoS: announcing ypghost (fwd)
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Sun Mar 3 19:13:36 1996
Date: Sun, 3 Mar 96 19:15 MET
From: okir@monad.swb.de (Olaf Kirch)
To: linux-security@tarsier.cv.nrao.edu
--------
It was just a matter of time until someone would post such a beast to the
net. I currently don't see a patch readily available for this, but it's being
discussed on the NYS mailing list.
As a a stopgap measure, you may want to try and disable YP over UDP to
force use of TCP. You either have to patch ypserv for this, or make do
with pmap_dump/pmap_set from Wietse Venema's secure portmapper distribution:
Dump the current portmapper settings to a file with pmap_dump, delete
the ypserv/udp line, restart the portmapper, and pipe the changed
portmapper settings to pmap_set.
This will make every operation involving NIS lookups (such as ls -l)
dreadfully slow, so it may be quite impractical, but at least you're
safe until TCP spoofing has been incoroporated into ypghost.
Olaf
---------- Forwarded message ----------
Date: Sat, 2 Mar 1996 04:30:36 +0000 (GMT)
From: R.Arnold / Arny <cs6171@scitsc.wlv.ac.uk>
To: best-of-security@suburbia.net
Subject: BoS: announcing ypghost
Hello,
Ypghost is now finally on general release. It can be obtained from:
http://www.scit.wlv.ac.uk/~cs6171/hack/progs/ypghost/ypghost.html
Ypghost effectively adds false (ghost) entries to NIS maps. It
does this by watching the local network for UDP packets that are
calls to the YPPROC_MATCH function of the RPC program YPPROG,
and then sends out false replies.
Ypghost performs NIS spoofing as described in a paper on NIS
security written by D.K.Hess, D.R.Safford and U.W.Pooch.
The most obvious implication is that false entries can be added
to the NIS maps passwd.byname, passwd.byuid, passwd.adjunct.byname
thus allowing possibly unauthorised root access.
The impact of such a weakness is vastly weakened by the fact
that an unauthorised person must be able to listen for, and send
packets, on the communication path between the NIS client and
the NIS server. In practice this means that ypghost must be run
as root on a machine on the same local network, so in some ways
it certainly isn't the best hacker's tool ever written. Despite
this its still fairly neat since lots of people seem to talk
about spoofing, but you don't often see it done in practice.
It does however rely on the spoofed response reaching the client
before the real one, but in practice I don't see this as a
significant problem.
Ypghost currently has the limitation that it only supports
ethernet type interfaces, IP version 4 (with no fragmentation or
options), UDP, RPC version 2 (with AUTH_NULL), YPPROG version 2,
and assuming the -p option is not specified, PMAP_PROG version
2. I expect the majority of systems to comply with all these
conditions though.
Ypghost has been written to be fairly portable, using the
'libpcap' portable packet capturing library to receive packets,
and raw sockets to transmit packets. Unfortunately old kernels
don't allow you to set the source address, so it won't work with
SunOS 4.1 kernels or standard current linux kernels (I expect
linux will be fixed very soon however).
Ypghost is known to work on:
SunOS 5.4 (solaris)
Linux 1.2.13 & 1.3.14 (details of how to modify kernel supplied).
It also compiles and runs on FreeBSD 2.1.0, although I have not
been able to test whether it does definitely work.
I couldn't comment about other versions of unix, but anything
with libpcap, an ANSI compiler, and a *decent* implementation of
raw sockets should work.
Note that ypghost needs the libpcap library. The standard
version works fine on SunOS (and many other platforms) and there
is also a patched version for linux available (which isn't
incorporated into the standard release I think because work on
libpcap seems to have stopped at version 0.0.6 !). FreeBSD (at
least) seems to come with libpcap as standard. I'll probably
put both libpcap and libpcap for linux on my page, or at least
details where to get them from.
Arny - cs6171@scitsc.wlv.ac.uk
http://www.scit.wlv.ac.uk/~cs6171/hack/index.html
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
