Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: solaris 2.6, 7 yppasswd vulnerability
From: Matt Power <mhpower () bos bindview com>
Date: Wed, 30 May 2001 23:49:30 -0400

In http://www.securityfocus.com/archive/1/187086 Jose Nazario
<jose () biocserver bioc cwru edu> wrote

A buffer overflow exploit (for the SPARC architecture) has been found in
the wild which takes advantage of an unchecked buffer in the 'yppasswd'
service on Solaris 2.6, 7 machines.

The publicly available exploit titled "rpc.yppasswdd SPARC remote
r000t mray/metaray 04/01" also can be used for remote root compromise
of Solaris 8 systems. Specifically, on a machine running this daemon:

  Solaris Fingerprint Database entry
  (http://sunsolve.Sun.COM/pub-cgi/fileFingerprints.pl)

  14787f86620cab4a2619a819982d2dd5 - - 1 match(es) 
                            canonical-path:
                            /usr/lib/netsvc/yp/rpc.yppasswdd 
                            package: SUNWypu 
                            version: 11.8.0,REV=2000.01.08.18.12 
                            architecture: sparc 
                            source: Solaris 8/SPARC 

that exploit was able to start a "/usr/sbin/inetd -s z" process.

A few other notes about this issue:

  -- the earlier posting (and the referenced web page
     http://www.incidents.org/news/yppassword.php) both mention the
     command "ps -ef | grep yppassword". That spelling happens to
     not work since the daemon is named rpc.yppasswdd.

  -- it also suggests that if there's output from
     "rpcinfo -p | grep 100009" (on a Solaris 2.6 or 7 SPARC) then the
     system is vulnerable. Solaris can provide a "100009" RPC service
     either via rpc.yppasswdd, or (if the system is an NIS+ server
     running in NIS-Compatibility mode) via rpc.nispasswdd. When
     the exploit is run against an rpc.nispasswdd, there's a syslog

       rpc.nispasswdd[###]: received yp password update request
        from (various binary data followed by a shell command)

     and rpc.nispasswdd continues running. I don't know for sure
     whether rpc.nispasswdd can be vulnerable to this exploit, but I
     saw no vulnerability in any of my tests (which were on Solaris 7).

Matt Power
BindView Corporation, RAZOR Team
mhpower () bos bindview com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]