mailing list archives
Re: Discovery: Gain access to root on Linux via NIS
From: cellwood () gauss elee calpoly edu (Chris Ellwood)
Date: Thu, 7 Sep 1995 03:58:39 -0700
Ken Weaverling said...
-----BEGIN PGP SIGNED MESSAGE-----
A user here stumbled upon a nice gaping hole in Linux using NIS. I sent
mail to CERT about it TUESDAY LAST WEEK, and got a form letter back to
Anyway, the Linux used here is Slackware 2.2.0. Not sure if the hole
exists on others, and I've never seen it discussed elsewhere. I've tested
my DG/UX systems and they are fine.
This hole is incredibly simple. If you are running NIS on Linux, I
can get root on your machine as easily as the famous -froot bug. No
exploit scripts, poking at ports, or peeking at packets. Darn simple.
I know this is a full disclosure list, and I worry that others already know,
especially since numerous people here apparently already know,
so I am seriously considering posting details unless CERT stops ignorning
me. I emailed them again today about it as well.
I am in a real tizzy about this. I can't even tell you how to protect
yourself without giving it away. Just disabling NIS will not be enough,
believe it or not. :-( If you have *EVER* run NIS on your Linux box,
you may be vulnerable :-(
Since I believe in full disclosure, I'll go ahead and take a stab at it.
I would guess that the problem is if you have "+::0:0:::" in your
/etc/passwd file, anyone can do 'su +' and get root access. This
hole seems to meet your criteria of being very simple and existing
even with NIS disabled. However, the Linux yp-client v1.6 docs clearly
state that you should add an entry like "+:*:0:0:::" to your passwd
file, which would not allow you to 'su +' and get root access.
The real problem seems to be that Linux will recognize '+' as being a
valid user. Most other OS's (such as SunOS and Ultrix) do not.
Best of luck,
- Chris <cellwood () gauss calpoly edu>
- Re: Discovery: Gain access to root on Linux via NIS Chris Ellwood (Sep 07)