FYI, for anyone running NIS. I didn't get notice of this in the Sun Security Bulletins, or CERT. Dave Foster Sun(sm) Alert Notification Sun Alert ID: 27486 Synopsis: Buffer Overflow in "rpc.yppasswdd" Process Might Lead to Unauthorized Root Access Category: Security Product: Solaris BugIDs: 4456994 Avoidance: Patch, Workaround State: Resolved Date Released: 05-Jul-2001, 12-Sep-2001 Date Closed: 12-Sep-2001 Date Modified: 10-Aug-2001, 29-Aug-2001, 12-Sep-2001 1. Impact Remote users may be able to gain unauthorized root access to a NIS master server. 2. Contributing Factors This issue can occur in the following releases: SPARC Solaris 2.6 without patch 106303-03 Solaris 7 without patch 111590-02 Solaris 8 without patch 111596-02 Intel Solaris 2.6 without patch 106304-03 Solaris 7 without patch 111591-02 Solaris 8 without patch 111597-02 Note: Solaris 2.5 and 2.5.1 are not at risk. Only NIS master servers that have the "rpc.yppasswdd" process running are affected ("rpc.yppasswdd" will terminate when the described issue is exploited - with or without success; see the "Symptoms" section below.). 3. Symptoms There are two symptoms that might show the described problem has been exploited to gain unauthorized root access to a NIS master server (these symptoms may be concealed by an unauthorized root user): 1. The "rpc.yppasswdd" process is no longer running (this is because once the exploit completes, the "rpc.yppasswdd" process will exit). As a result, users will no longer be able to change their NIS password. The following command may be used to check if the "rpc.yppasswdd" process is still running: $ ps -ef | grep rpc.yppasswdd 2. A known exploit exists which, if successful, will start an additional "inted" process. The following command may be used to check for additional "inetd" processes: $ ps -ef | grep inetd An additional "inetd" process like in the following example output would indicate an ongoing intrusion: root 159 1 0 15:22:09 ? 0:00 /usr/sbin/inetd -s root 456 1 0 15:26:51 ? 0:00 /usr/sbin/inetd -s <filename> Here, "/usr/sbin/inetd -s <filename>" hints at an exploit of the described issue (on occurrence, "<filename>" will be the name of an arbitrary file). Once a NIS master server has been successfully attacked, it may be difficult to determine if the system has been compromised. The unauthorized root user may have cleaned up the system to avoid drawing attention to the exploit. 4. Relief/Workaround As possible workarounds 1. Stop the "rpc.yppasswdd" process. This will prevent the described exploit but also keep all users in the servers NIS domain from changing their NIS password. or 2. Enable "non-executable user program stacks" in the kernel by adding the following lines to the NIS servers "/etc/system" file (a subsequent reboot is required): set noexec_user_stack = 1 set noexec_user_stack_log = 1 and restart the "rpc.yppasswdd" process. This will prevent the current known exploit code from succeeding. Modified exploit code may still be created to bypass this limited protection. This workaround is only affective on sun4u, sun4m, and sun4d architectures (enter "uname -m" to display a systems architecture). This workaround will not work on Intel platforms. An attack against a system using workaround 2 will fail but still terminate the "rpc.yppasswdd" process, again preventing users from changing their NIS password until the "rpc.yppasswdd" is restarted. 5. Resolution This issue is addressed in the following releases: SPARC Solaris 2.6 with patch 106303-03 or later Solaris 7 with patch 111590-02 or later Solaris 8 with patch 111596-02 or later Intel Solaris 2.6 with patch 106304-03 or later Solaris 7 with patch 111591-02 or later Solaris 8 with patch 111597-02 or later Change History 10-Aug-2001 Patch 106303-03 (Solaris 2.6 SPARC) is available 29-Aug-2001 Patches 111590-02 (Solaris 7 SPARC) and 111596-02 (Solaris 8 SPARC) are available 12-Sep-2001 All patches are available State: Resolved << All opinions expressed are mine, not the University's >> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= David Foster National Center for Microscopy and Imaging Research Programmer/Analyst University of California, San Diego dfoster@ucsd.edu Department of Neuroscience, Mail 0608 (858) 534-7968 http://ncmir.ucsd.edu/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore, all progress depends on the unreasonable." -- George Bernard Shaw ------------- End Forwarded Message ------------- << All opinions expressed are mine, not the University's >> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= David Foster National Center for Microscopy and Imaging Research Programmer/Analyst University of California, San Diego dfoster@ucsd.edu Department of Neuroscience, Mail 0608 (858) 534-7968 http://ncmir.ucsd.edu/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore, all progress depends on the unreasonable." -- George Bernard Shaw _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Wed Oct 3 19:05:38 2001
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:26 EST