[20822] in bugtraq
Re: solaris 2.6, 7 yppasswd vulnerability
daemon@ATHENA.MIT.EDU (Matt Power)
Thu May 31 04:15:01 2001
Date: Wed, 30 May 2001 23:49:30 -0400
Message-Id: <200105310349.XAA29094@theta.bos.bindview.com>
From: Matt Power <mhpower@bos.bindview.com>
To: bugtraq@securityfocus.com
In-Reply-To: <Pine.LNX.4.30.0105281412380.28508-200000@biocserver.BIOC.CWRU.Edu>
In http://www.securityfocus.com/archive/1/187086 Jose Nazario
<jose@biocserver.bioc.cwru.edu> wrote
>A buffer overflow exploit (for the SPARC architecture) has been found in
>the wild which takes advantage of an unchecked buffer in the 'yppasswd'
>service on Solaris 2.6, 7 machines.
The publicly available exploit titled "rpc.yppasswdd SPARC remote
r000t mray/metaray 04/01" also can be used for remote root compromise
of Solaris 8 systems. Specifically, on a machine running this daemon:
Solaris Fingerprint Database entry
(http://sunsolve.Sun.COM/pub-cgi/fileFingerprints.pl)
14787f86620cab4a2619a819982d2dd5 - - 1 match(es)
canonical-path:
/usr/lib/netsvc/yp/rpc.yppasswdd
package: SUNWypu
version: 11.8.0,REV=2000.01.08.18.12
architecture: sparc
source: Solaris 8/SPARC
that exploit was able to start a "/usr/sbin/inetd -s z" process.
A few other notes about this issue:
-- the earlier posting (and the referenced web page
http://www.incidents.org/news/yppassword.php) both mention the
command "ps -ef | grep yppassword". That spelling happens to
not work since the daemon is named rpc.yppasswdd.
-- it also suggests that if there's output from
"rpcinfo -p | grep 100009" (on a Solaris 2.6 or 7 SPARC) then the
system is vulnerable. Solaris can provide a "100009" RPC service
either via rpc.yppasswdd, or (if the system is an NIS+ server
running in NIS-Compatibility mode) via rpc.nispasswdd. When
the exploit is run against an rpc.nispasswdd, there's a syslog
rpc.nispasswdd[###]: received yp password update request
from (various binary data followed by a shell command)
and rpc.nispasswdd continues running. I don't know for sure
whether rpc.nispasswdd can be vulnerable to this exploit, but I
saw no vulnerability in any of my tests (which were on Solaris 7).
Matt Power
BindView Corporation, RAZOR Team
mhpower@bos.bindview.com
