[SUMMARY] Patches for rpc.yppaswdd vulnerability finally available

From: David Foster <foster_at_dim.ucsd.edu>
Date: Wed Oct 03 2001 - 20:07:06 EDT
FYI, for anyone running NIS. I didn't get notice of this in
the Sun Security Bulletins, or CERT.

Dave Foster


Sun(sm) Alert Notification 

    Sun Alert ID: 27486 
    Synopsis: Buffer Overflow in "rpc.yppasswdd" Process Might Lead to 
	Unauthorized Root Access 
    Category: Security 
    Product: Solaris 
    BugIDs: 4456994 
    Avoidance: Patch, Workaround 
    State: Resolved 
    Date Released: 05-Jul-2001, 12-Sep-2001 
    Date Closed: 12-Sep-2001 
    Date Modified: 10-Aug-2001, 29-Aug-2001, 12-Sep-2001 

    1. Impact 

    Remote users may be able to gain unauthorized root access to a NIS 
    master server. 

    2. Contributing Factors 

    This issue can occur in the following releases: 

    SPARC 

        Solaris 2.6 without patch 106303-03 
        Solaris 7 without patch 111590-02 
        Solaris 8 without patch 111596-02 

    Intel 

        Solaris 2.6 without patch 106304-03 
        Solaris 7 without patch 111591-02 
        Solaris 8 without patch 111597-02 

        Note: Solaris 2.5 and 2.5.1 are not at risk. 

    Only NIS master servers that have the "rpc.yppasswdd"
    process running are affected ("rpc.yppasswdd" will terminate 
    when the described issue is exploited - with or without success; see the
    "Symptoms" section below.). 

    3. Symptoms 

    There are two symptoms that might show the described
    problem has been exploited to gain unauthorized root access to a NIS master
    server (these symptoms may be concealed by an unauthorized root user): 

        1. The "rpc.yppasswdd" process is no longer running (this
           is because once the exploit completes, the "rpc.yppasswdd" 
	   process will exit). As a result, users will no longer be able 
	   to change their NIS password. The following command may be used 
	   to check if the "rpc.yppasswdd" process is still running: 

               $ ps -ef | grep rpc.yppasswdd

        2. A known exploit exists which, if successful, will start an 
           additional "inted" process. The following command may be used to 
           check for additional "inetd" processes: 

               $ ps -ef | grep inetd                        

           An additional "inetd" process like in the following example output 
           would indicate an ongoing intrusion: 

            root    159  1    0    15:22:09    ? 0:00 /usr/sbin/inetd -s
            root    456  1    0    15:26:51    ? 0:00 /usr/sbin/inetd -s 
<filename>                        

           Here, "/usr/sbin/inetd -s <filename>" hints at an exploit
           of the described issue (on occurrence, "<filename>" will be the 
           name of an arbitrary file). 

           Once a NIS master server has been successfully attacked,
           it may be difficult to determine if the system has been compromised. 
           The unauthorized root user may have cleaned up the system to
           avoid drawing attention to the exploit. 

    4. Relief/Workaround 

       As possible workarounds 

       1. Stop the "rpc.yppasswdd" process. This will prevent
          the described exploit but also keep all users in the servers 
          NIS domain from changing their NIS password. 

                          or 

       2. Enable "non-executable user program stacks" in the
          kernel by adding the following lines to the NIS servers 
          "/etc/system" file (a subsequent reboot is required): 

                 set noexec_user_stack = 1
                 set noexec_user_stack_log = 1
                

          and restart the "rpc.yppasswdd" process. This will
          prevent the current known exploit code from succeeding. 
          Modified exploit code may still be created to bypass this 
          limited protection. This workaround is only affective on sun4u, 
          sun4m, and sun4d architectures (enter "uname -m" to display a 
          systems architecture). This workaround will not work on Intel 
          platforms. 

          An attack against a system using workaround 2 will fail
          but still terminate the "rpc.yppasswdd" process, again preventing 
          users from changing their NIS password until the "rpc.yppasswdd" is
          restarted. 

       5. Resolution 

          This issue is addressed in the following releases: 

              SPARC

                  Solaris 2.6 with patch 106303-03 or later 
                  Solaris 7 with patch 111590-02 or later 
                  Solaris 8 with patch 111596-02 or later 

              Intel 

                  Solaris 2.6 with patch 106304-03 or later 
                  Solaris 7 with patch 111591-02 or later 
                  Solaris 8 with patch 111597-02 or later 

          Change History 

              10-Aug-2001 

                  Patch 106303-03 (Solaris 2.6 SPARC) is available 

              29-Aug-2001 

                  Patches 111590-02 (Solaris 7 SPARC) and 111596-02
                  (Solaris 8 SPARC) are available 

              12-Sep-2001 

                  All patches are available 
                  State: Resolved 



   << All opinions expressed are mine, not the University's >>

  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
   David Foster    National Center for Microscopy and Imaging Research
    Programmer/Analyst     University of California, San Diego
    dfoster@ucsd.edu       Department of Neuroscience, Mail 0608
    (858) 534-7968         http://ncmir.ucsd.edu/
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

   "The reasonable man adapts himself to the world; the unreasonable one
   persists in trying to adapt the world to himself.  Therefore, all progress
   depends on the unreasonable."   -- George Bernard Shaw

------------- End Forwarded Message -------------



   << All opinions expressed are mine, not the University's >>

  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
   David Foster    National Center for Microscopy and Imaging Research
    Programmer/Analyst     University of California, San Diego
    dfoster@ucsd.edu       Department of Neuroscience, Mail 0608
    (858) 534-7968         http://ncmir.ucsd.edu/
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

   "The reasonable man adapts himself to the world; the unreasonable one
   persists in trying to adapt the world to himself.  Therefore, all progress
   depends on the unreasonable."   -- George Bernard Shaw

_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Wed Oct 3 19:05:38 2001

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:26 EST