Re: rpc.ypupdated

[pug () arlut utexas edu (Pug)]

>    I've fixed the SunOS 4.1.3 ypupdated bug (I think). Using tcp_wrapper tcpd
> to call rpc.ypupdated by inetd, and restricting access for local domain machines,
> has blocked this security gap. Here follows the steps:

You are of course assuming that none of the local machines have been
compromised, and are trusted. In my experience, it is much easier to break
in via a machine in the local domain that is less protected. The only
safe way is to kill it. (Of course the only secure machine is the one
never turned on. Assuming that you have it buried in 6' of concrete so
they can't walk off with it.)

Btw, under NSkit 1.0 under Solaris 2.x I have only been able to break in
via this method *if* keyserv is not running or rpc.ypupdated is started
with the -i option. Both of these will cause UNIX instead of DES
authentication to be used. Unfortunately I haven't had the time to
figure out 2.x's keyserv to see if I can get in somehow through it.

Ciao,

--
Richard Bainter          Mundanely     |    OS Specialist         - OMG/CSD
Pug                      Generally     |    Applied Research Labs - U.Texas
   pug () arlut utexas edu     |     pug () eden com     |     {any user}@pug.net
Note: The views may not reflect my employers, or even my own for that matter.