Re: Discovery: Gain access to root on Linux via NIS

[alan () mid net (Alan Hannan)]

.........  Ken Weaverling is rumored to have said:
-->
-->  A user here stumbled upon a nice gaping hole in Linux using NIS. I sent
-->  mail to CERT about it TUESDAY LAST WEEK, and got a form letter back to
-->  send. The first question was what the incident number was. Since I haven't
-->  received an incident number, my limited brain parser is in an infinite
-->  loop on that one!  I have no idea when they will get in contact -- if
-->  ever. Amazing. I even called their hotline and they told me to be patient.
-->  Well, it's been seven days and STILL nothing.

  And what do you think it will be in another 7 days?

-->  I know this is a full disclosure list, and I worry that others already know,
-->  especially since numerous people here apparently already know,
-->  so I am seriously considering posting details unless CERT stops ignorning
-->  me. I emailed them again today about it as well.

  Post the exploit.  CERT and vendors make promises all they want, but it takes
News Media Press, a high-profile exploitation, or widespread distribution
(outside of CERT) to cause them to fill their channels.

  Post the exploit, and see if CERT doesn't take action then.  Depending on
CERT for computer security notification is like depending on Bill Clinton to
know when your taxes are going up.

--
Alan Hannan                        Email: alan () mid net
Network Systems Administrator      Voice: (402) 472-0239
MIDnet, Lincoln NOC Office         Fax:   (402) 472-0240