Home page logo

bugtraq logo Bugtraq mailing list archives

Discovery: Gain access to root on Linux via NIS
From: weave () hopi dtcc edu (Ken Weaverling)
Date: Tue, 5 Sep 1995 07:57:57 -0400


A user here stumbled upon a nice gaping hole in Linux using NIS. I sent
mail to CERT about it TUESDAY LAST WEEK, and got a form letter back to
send. The first question was what the incident number was. Since I haven't
received an incident number, my limited brain parser is in an infinite
loop on that one!  I have no idea when they will get in contact -- if
ever. Amazing. I even called their hotline and they told me to be patient.
Well, it's been seven days and STILL nothing.

Anyway, the Linux used here is Slackware 2.2.0. Not sure if the hole
exists on others, and I've never seen it discussed elsewhere. I've tested
my DG/UX systems and they are fine.

This hole is incredibly simple.  If you are running NIS on Linux, I
can get root on your machine as easily as the famous -froot bug. No
exploit scripts, poking at ports, or peeking at packets. Darn simple.

In fact, it is so simple, we all here can't believe it and there MUST
be something we are missing, but we've tested it on every linux box
we have, and they all go in as root.  Am not sure if this is just limited to
slackware release or not. (I tested our DG/UX systems and they are fine)

I know this is a full disclosure list, and I worry that others already know,
especially since numerous people here apparently already know,
so I am seriously considering posting details unless CERT stops ignorning
me. I emailed them again today about it as well.

I am in a real tizzy about this. I can't even tell you how to protect
yourself without giving it away. Just disabling NIS will not be enough,
believe it or not. :-(  If you have *EVER* run NIS on your Linux box,
you may be vulnerable :-(

p.s. A close friend of mine is in ICU at the hospital and I am spending
a LOT of time there, so I may not be able to give prompt replies to any
email I receive about this. Sorry.

Ken Weaverling          weave () dtcc edu |*|    *** I speak MIME and PGP ***
    Manager of Computer Services       |*|
   Stanton/Wilmington Campuses of      |*| PGP key: finger weave () hopi dtcc edu
Delaware Technical & Community College |*| fingerprint: finger weave () ssnet com

Version: 2.6.2


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]