mailing list archives
Re: Returned post for bugtraq () securityfocus com
From: Dan Stromberg <strombrg () nis acs uci edu>
Date: Tue, 29 May 2001 11:24:12 -0700
On Tue, May 29, 2001 at 06:38:15AM -0000, bugtraq-owner () securityfocus com wrote:
Kukuk's rpc.yppasswdd builds without a great deal of wrestling on
Solaris 2.6. There was one undef function, probably svc_getcaller,
but it's only used in a log message, so it's easy to just eliminate.
This could conceivably be a more complete temporary solution than
setting up noexec_user_stack (though both might be best).
It sure would be nice if Sun would at least acknowledge the problem.
On Mon, May 28, 2001 at 02:14:23PM -0400, Jose Nazario wrote:
The best solution is to firewall your boxe(s) that are running NIS from
the internet. However this will not stop the insider attack.
Sun has not release an official patch for this yet. A workaround 1) would
be to turn off yppasswdd. This is around line 133 or so in
/usr/lib/netsvc/yp/ypstart. Just comment it out. The hack doesn't appear
to work if yppassword is disabled with NIS still running. Please note in
doing this, yppassword is not running and users cannot change their
Another work around 2) is if you still need to run yppassword is to do
set noexec_user_stack = 1
set noexec_user_stack_log = 1
in /etc/system (after a reboot of course)
Of course a different exploit could work around that but hopefully this
will permit people to use yppasswd until a patch is forthcoming. This step
has not been tested yet.
Dan Stromberg UCI/NACS/DCS