Home page logo
/

bugtraq logo Bugtraq mailing list archives

Multiple vendor ypxfrd map handling vulnerability
From: Janusz Niewiadomski <funkysh () isec pl>
Date: Thu, 10 Oct 2002 18:39:26 +0200 (CEST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




Name:                           ypxfrd
Version:                        read the details
CERT vulnerability note:        http://www.kb.cert.org/vuls/id/538033
Author:                         Janusz Niewiadomski <funkysh () isec pl>
Date:                           October 10, 2002


Issue:
======

Improper arguments validation in ypxfrd may allow local attacker to read
any file on the system.


Description:
============

ypxfrd daemon is used for speed up the distribution of large NIS maps 
from NIS master to NIS slave servers.


Details:
========

When getdbm procedure is called, ypxfrd daemon creates a path to the
/var/yp/domain/map file (where domain and map are arguments provided
in the request). Unfortunately it fails to check if both arguments
contains slash or dot characters, thus making databases outside
/var/yp directory accessible. A symlink done can override .pag / .dir 
file extension limitation, allowing local attacker to read any file on
the system.

The vendors was notified on August 27, 2002. The following systems are
identified as affected by this vulnerability:

Sun Microsystems Solaris
SCO OpenServer
Caldera OpenLinux


Impact:
=======

When ypxfrd is configured and running, local attacker is able to read any
file on the system. As ypxfrd is typically run as root, this may lead to
privilege escalation. It is also possible to remotely read DBM files 
outside /var/yp directory, depending on the securenets configuration.


Vendor Response:
================

Please refer to CERT VU#538033 for more information.


- -- 
Janusz Niewiadomski
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj2lrV8ACgkQC+8U3Z5wpu53CQCfbA9DrAdCAsU1NoOHoeQSSlQ3
XcYAoILEc7l3BYEJvYmEyp7hm8eqjJ8C
=4E03
-----END PGP SIGNATURE-----



  By Date           By Thread  

Current thread:
  • Multiple vendor ypxfrd map handling vulnerability Janusz Niewiadomski (Oct 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault