Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: solaris 2.6, 7 yppasswd vulnerability

From: Matt Power <mhpower () bos bindview com>
Date: Wed, 30 May 2001 23:49:30 -0400
In http://www.securityfocus.com/archive/1/187086 Jose Nazario
<jose () biocserver bioc cwru edu> wrote


A buffer overflow exploit (for the SPARC architecture) has been found in
the wild which takes advantage of an unchecked buffer in the 'yppasswd'
service on Solaris 2.6, 7 machines.


The publicly available exploit titled "rpc.yppasswdd SPARC remote
r000t mray/metaray 04/01" also can be used for remote root compromise
of Solaris 8 systems. Specifically, on a machine running this daemon:

  Solaris Fingerprint Database entry
  (http://sunsolve.Sun.COM/pub-cgi/fileFingerprints.pl)

  14787f86620cab4a2619a819982d2dd5 - - 1 match(es) 
                            canonical-path:
                            /usr/lib/netsvc/yp/rpc.yppasswdd 
                            package: SUNWypu 
                            version: 11.8.0,REV=2000.01.08.18.12 
                            architecture: sparc 
                            source: Solaris 8/SPARC 

that exploit was able to start a "/usr/sbin/inetd -s z" process.

A few other notes about this issue:

  -- the earlier posting (and the referenced web page
     http://www.incidents.org/news/yppassword.php) both mention the
     command "ps -ef | grep yppassword". That spelling happens to
     not work since the daemon is named rpc.yppasswdd.

  -- it also suggests that if there's output from
     "rpcinfo -p | grep 100009" (on a Solaris 2.6 or 7 SPARC) then the
     system is vulnerable. Solaris can provide a "100009" RPC service
     either via rpc.yppasswdd, or (if the system is an NIS+ server
     running in NIS-Compatibility mode) via rpc.nispasswdd. When
     the exploit is run against an rpc.nispasswdd, there's a syslog

       rpc.nispasswdd[###]: received yp password update request
        from (various binary data followed by a shell command)

     and rpc.nispasswdd continues running. I don't know for sure
     whether rpc.nispasswdd can be vulnerable to this exploit, but I
     saw no vulnerability in any of my tests (which were on Solaris 7).

Matt Power
BindView Corporation, RAZOR Team
mhpower () bos bindview com
Previous By Date Next
Previous By Thread Next

Current thread: