[9059] in bugtraq
NIS and NIS+ ephemeral ports
daemon@ATHENA.MIT.EDU (Dylan Loomis)
Fri Jan 15 00:55:59 1999
Date: Wed, 13 Jan 1999 11:59:56 -0800
Reply-To: Dylan Loomis <dylan@DESTRO.NEWDREAM.NET>
From: Dylan Loomis <dylan@DESTRO.NEWDREAM.NET>
To: BUGTRAQ@NETSPACE.ORG
Aleph, feel free to edit the first part out but I didn't find it in the
BUGTRAQ archives so just tacked it in.
Prelude: first got a brand new Ultra10 from sun, and surprsingly it had
two root partitions. So booted from the second root, and found, in addition to
the system accts, an account: sfa (sun field admin???) ran crack against it and
the password ended up being: 'debug' no single quotes. This was a brand new,
Solaris 2.6 box.
Question: at one of the sites I work at, we run NIS and NIS+ and I found that
even though NIS and NIS+ servers use a high ephemeral port, upon reboot this
port didn't change in some of the machines.
In effect this means that I can write scripts to connect directly to the port
and by-pass the portmapper. Why is this bad? Well because a lot of sites
just block 111 (portmapper) and leave the rest open (ftp other stuff might
need them). In addition, since it doesn't run from inetd, I am pretty sure
you can't run tcpwrappers. Since it bypasses the portmapper, a secure
portmapper isn't much good either. So if I can guess the high port, I can,
in the case of NIS, get the hashed passwds quite easily.
Workarounds include checking what ephem port your server runs, and blocking it
at the firewall. Just cutting off your NIS/NIS+ server from the outside world.
What I want to find out: is this ephermeral port selection related to OS
release? To this end I am asking the BUGTRAQ readership to answer the
following informal poll, I will organize the results and post a summary.
Obviously I don't want your actual IP or location, but would like:
OS Release:
Hardware:
NIS or NIS+:
same ports on reboot?:
Patch level: <current | some_patches | patches_are_for_wimps>
Ephem port for: ypserv, ypbind, yppasswd, nisd, nispasswd
uname -a, rpcinfo -p server, should give you all the info above. Below is
data for machines I have already checked. But, conflicting or supporting
date is appreciated.
thx -DAL-
-----------------------
OS Release: SunOS 5.5.1
Hardware: sparc10
NIS or NIS+: NIS+
same ports on reboot?: yes
Patch level: no patches (there is a reason for this! I swear)
Ephem port for: ypserv, ypbind, yppasswd, nisd, nispasswd 100300 3 udp 32772 nisd
100300 3 tcp 32771 nisd
100303 1 tcp 32777 nispasswd
OS Release: SunOS 5.6
Hardware: sparc20
NIS or NIS+: NIS
same ports on reboot?: <1024 changed, ephem ports same
Patch level: some patches
Ephem port for: ypserv, ypbind, yppasswd, nisd, nispasswd
100004 2 udp 772 ypserv
100004 1 udp 772 ypserv
100004 1 tcp 773 ypserv
100004 2 tcp 32772 ypserv
100007 3 udp 32776 ypbind
100007 2 udp 32776 ypbind
100007 1 udp 32776 ypbind
100007 3 tcp 32774 ypbind
100007 2 tcp 32774 ypbind
100009 1 udp 788 yppasswdd
100007 1 tcp 32774 ypbind
OS Release: SunOS 5.6
Hardware: Ultra1
NIS or NIS+: NIS+
same ports on reboot?: unknown awaiting result
Patch level: current
Ephem port for: ypserv, ypbind, yppasswd, nisd, nispasswd
100300 3 udp 35160 nisd
100300 3 tcp 37795 nisd
100303 1 tcp 37801 nispasswd
--
-DAL-
dylan@newdream.net
