Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1995_3

Bugtraq archives for 3rd quarter (Jul-Aug) 1995: Re: Discovery: Gain access to root on Linux via NIS

Re: Discovery: Gain access to root on Linux via NIS

Chris Ellwood (cellwoodgauss.elee.calpoly.edu)
Thu, 7 Sep 1995 03:58:39 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Ken Weaverling: "Linux NIS security problem hole and fix"
Previous message: Panzer Boy: "Re: httpd symlinks"
Maybe in reply to: Ken Weaverling: "Discovery: Gain access to root on Linux via NIS"
Next in thread: Alan Hannan: "Re: Discovery: Gain access to root on Linux via NIS"

Ken Weaverling said...
>-----BEGIN PGP SIGNED MESSAGE-----
>A user here stumbled upon a nice gaping hole in Linux using NIS. I sent
>mail to CERT about it TUESDAY LAST WEEK, and got a form letter back to
>send.
[...]
>Anyway, the Linux used here is Slackware 2.2.0. Not sure if the hole
>exists on others, and I've never seen it discussed elsewhere. I've tested
>my DG/UX systems and they are fine.
>
>This hole is incredibly simple.  If you are running NIS on Linux, I
>can get root on your machine as easily as the famous -froot bug. No
>exploit scripts, poking at ports, or peeking at packets. Darn simple.
[...]
>I know this is a full disclosure list, and I worry that others already know,
>especially since numerous people here apparently already know,
>so I am seriously considering posting details unless CERT stops ignorning
>me. I emailed them again today about it as well.
>
>I am in a real tizzy about this. I can't even tell you how to protect
>yourself without giving it away. Just disabling NIS will not be enough,
>believe it or not. :-(  If you have *EVER* run NIS on your Linux box,
>you may be vulnerable :-(

Since I believe in full disclosure, I'll go ahead and take a stab at it.

I would guess that the problem is if you have "+::0:0:::" in your
/etc/passwd file, anyone can do 'su +' and get root access.  This
hole seems to meet your criteria of being very simple and existing
even with NIS disabled.  However, the Linux yp-client v1.6 docs clearly
state that you should add an entry like "+:*:0:0:::" to your passwd
file, which would not allow you to 'su +' and get root access.

The real problem seems to be that Linux will recognize '+' as being a
valid user.  Most other OS's (such as SunOS and Ultrix) do not.

Best of luck,

- Chris  <cellwoodgauss.calpoly.edu>

Next message: Ken Weaverling: "Linux NIS security problem hole and fix"
Previous message: Panzer Boy: "Re: httpd symlinks"
Maybe in reply to: Ken Weaverling: "Discovery: Gain access to root on Linux via NIS"
Next in thread: Alan Hannan: "Re: Discovery: Gain access to root on Linux via NIS"