Bugtraq mailing list archives

Discovery: Gain access to root on Linux via NIS

From: weave () hopi dtcc edu (Ken Weaverling)
Date: Tue, 5 Sep 1995 07:57:57 -0400


-----BEGIN PGP SIGNED MESSAGE-----

A user here stumbled upon a nice gaping hole in Linux using NIS. I sent
mail to CERT about it TUESDAY LAST WEEK, and got a form letter back to
send. The first question was what the incident number was. Since I haven't
received an incident number, my limited brain parser is in an infinite
loop on that one!  I have no idea when they will get in contact -- if
ever. Amazing. I even called their hotline and they told me to be patient.
Well, it's been seven days and STILL nothing.

Anyway, the Linux used here is Slackware 2.2.0. Not sure if the hole
exists on others, and I've never seen it discussed elsewhere. I've tested
my DG/UX systems and they are fine.

This hole is incredibly simple.  If you are running NIS on Linux, I
can get root on your machine as easily as the famous -froot bug. No
exploit scripts, poking at ports, or peeking at packets. Darn simple.

In fact, it is so simple, we all here can't believe it and there MUST
be something we are missing, but we've tested it on every linux box
we have, and they all go in as root.  Am not sure if this is just limited to
slackware release or not. (I tested our DG/UX systems and they are fine)

I know this is a full disclosure list, and I worry that others already know,
especially since numerous people here apparently already know,
so I am seriously considering posting details unless CERT stops ignorning
me. I emailed them again today about it as well.

I am in a real tizzy about this. I can't even tell you how to protect
yourself without giving it away. Just disabling NIS will not be enough,
believe it or not. :-(  If you have *EVER* run NIS on your Linux box,
you may be vulnerable :-(

p.s. A close friend of mine is in ICU at the hospital and I am spending
a LOT of time there, so I may not be able to give prompt replies to any
email I receive about this. Sorry.

Ken Weaverling          weave () dtcc edu |*|    *** I speak MIME and PGP ***
    Manager of Computer Services       |*|
   Stanton/Wilmington Campuses of      |*| PGP key: finger weave () hopi dtcc edu
Delaware Technical & Community College |*| fingerprint: finger weave () ssnet com

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMEw7I/rqnofBDfbZAQHsHQP+MmfiWMbvafpIeOtNftXnt4nJSrhViSyl
vbgu2YCE9niYhLJZR3VJrpIAu8z9B397fqrQt0UjFgskfaykoVVVyYP2TtzpCNnV
MFMdjXiK+oOPgKwXT6NHceA2qm3MsgXxR4w6xdex+qDigDWUM/jyd6QJbRxhcDQx
HL5gQaQugNA=
=VTUD
-----END PGP SIGNATURE-----

Current thread:

Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Christian Wettergren (Aug 29)
- <Possible follow-ups>
- Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Perry E. Metzger (Aug 29)
- Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Slava Kritov (Aug 30)
- Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 der Mouse (Aug 31)
- Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Tim Scanlon (Sep 02)
  - Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Slava Kritov (Sep 05)
  - Discovery: Gain access to root on Linux via NIS Ken Weaverling (Sep 05)
    - Re: Discovery: Gain access to root on Linux via NIS Alan Hannan (Sep 07)
- Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Neil Woods (Sep 04)
  - Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 System Administrator (Sep 11)
    - Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Neil Woods (Sep 12)
    - Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Karl Strickland (Sep 13)
    - Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 System Administrator (Sep 14)
  - Livingston bugs... Jay 'Whip' Grizzard (Sep 12)
    - Re: Livingston bugs... Phillip Moore (Sep 12)
    - Re: Livingston bugs... Dave Andersen (Sep 12)
    - Re: Livingston bugs... Mike A Lyons (Sep 12)

(Thread continues...)