[9080] in bugtraq
Re: NIS and NIS+ ephemeral ports
daemon@ATHENA.MIT.EDU (Roy Hooper)
Fri Jan 15 14:30:08 1999
Date: Fri, 15 Jan 1999 10:45:47 -0500
Reply-To: Roy Hooper <rhooper@CYBERUS.CA>
From: Roy Hooper <rhooper@CYBERUS.CA>
X-To: Dylan Loomis <dylan@DESTRO.NEWDREAM.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199901131959.LAA17752@destro.newdream.net>
Dylan Loomis wrote on Wednesday, January 13, 1999 3:00 PM:
> Prelude: first got a brand new Ultra10 from sun, and surprsingly it had
> two root partitions. So booted from the second root, and found,
> in addition to
> the system accts, an account: sfa (sun field admin???) ran crack
> against it and
> the password ended up being: 'debug' no single quotes. This was
> a brand new,
> Solaris 2.6 box.
I just checked my Solaris 2.6x86 and Solaris 2.6 SPARC machines that have
been installed clean from CD, and there is no "sfa" account. This appears
to have something to do with the sun installation of Solaris.
> In effect this means that I can write scripts to connect directly
> to the port
> and by-pass the portmapper. Why is this bad? Well because a lot of sites
> just block 111 (portmapper) and leave the rest open (ftp other stuff might
> need them). In addition, since it doesn't run from inetd, I am
> pretty sure
> you can't run tcpwrappers. Since it bypasses the portmapper, a secure
> portmapper isn't much good either. So if I can guess the high
> port, I can,
> in the case of NIS, get the hashed passwds quite easily.
>
> Workarounds include checking what ephem port your server runs,
> and blocking it
> at the firewall. Just cutting off your NIS/NIS+ server from the
> outside world.
Sun NIS (and probably others) support what is known as securenets, which is
a list of IPs and Netmasks that are allowed to talk to your NIS server.
This file resides in /var/yp, and seems to be read only at startup.
