Bugtraq mailing list archives
Re: Returned post for bugtraq () securityfocus com
From: Dan Stromberg <strombrg () nis acs uci edu>
Date: Tue, 29 May 2001 11:24:12 -0700
On Tue, May 29, 2001 at 06:38:15AM -0000, bugtraq-owner () securityfocus com wrote: Kukuk's rpc.yppasswdd builds without a great deal of wrestling on Solaris 2.6. There was one undef function, probably svc_getcaller, but it's only used in a log message, so it's easy to just eliminate. This could conceivably be a more complete temporary solution than setting up noexec_user_stack (though both might be best). It sure would be nice if Sun would at least acknowledge the problem. On Mon, May 28, 2001 at 02:14:23PM -0400, Jose Nazario wrote:
The best solution is to firewall your boxe(s) that are running NIS from the internet. However this will not stop the insider attack. Sun has not release an official patch for this yet. A workaround 1) would be to turn off yppasswdd. This is around line 133 or so in /usr/lib/netsvc/yp/ypstart. Just comment it out. The hack doesn't appear to work if yppassword is disabled with NIS still running. Please note in doing this, yppassword is not running and users cannot change their password. Another work around 2) is if you still need to run yppassword is to do the following: set noexec_user_stack = 1 set noexec_user_stack_log = 1 in /etc/system (after a reboot of course) Of course a different exploit could work around that but hopefully this will permit people to use yppasswd until a patch is forthcoming. This step has not been tested yet.
-- Dan Stromberg UCI/NACS/DCS
Attachment:
_bin
Description:
Current thread:
- solaris 2.6, 7 yppasswd vulnerability Jose Nazario (May 28)
- Re: Returned post for bugtraq () securityfocus com Dan Stromberg (May 30)
- Re: solaris 2.6, 7 yppasswd vulnerability Matt Power (May 31)