mailing list archives
Re: solaris 2.6, 7 yppasswd vulnerability
From: Matt Power <mhpower () bos bindview com>
Date: Wed, 30 May 2001 23:49:30 -0400
In http://www.securityfocus.com/archive/1/187086 Jose Nazario
<jose () biocserver bioc cwru edu> wrote
A buffer overflow exploit (for the SPARC architecture) has been found in
the wild which takes advantage of an unchecked buffer in the 'yppasswd'
service on Solaris 2.6, 7 machines.
The publicly available exploit titled "rpc.yppasswdd SPARC remote
r000t mray/metaray 04/01" also can be used for remote root compromise
of Solaris 8 systems. Specifically, on a machine running this daemon:
Solaris Fingerprint Database entry
14787f86620cab4a2619a819982d2dd5 - - 1 match(es)
source: Solaris 8/SPARC
that exploit was able to start a "/usr/sbin/inetd -s z" process.
A few other notes about this issue:
-- the earlier posting (and the referenced web page
http://www.incidents.org/news/yppassword.php) both mention the
command "ps -ef | grep yppassword". That spelling happens to
not work since the daemon is named rpc.yppasswdd.
-- it also suggests that if there's output from
"rpcinfo -p | grep 100009" (on a Solaris 2.6 or 7 SPARC) then the
system is vulnerable. Solaris can provide a "100009" RPC service
either via rpc.yppasswdd, or (if the system is an NIS+ server
running in NIS-Compatibility mode) via rpc.nispasswdd. When
the exploit is run against an rpc.nispasswdd, there's a syslog
rpc.nispasswdd[###]: received yp password update request
from (various binary data followed by a shell command)
and rpc.nispasswdd continues running. I don't know for sure
whether rpc.nispasswdd can be vulnerable to this exploit, but I
saw no vulnerability in any of my tests (which were on Solaris 7).
BindView Corporation, RAZOR Team
mhpower () bos bindview com