OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 1st quarter (Jan-Mar) 1999: NIS and NIS+ ephemeral ports

NIS and NIS+ ephemeral ports

Dylan Loomis (dylanDESTRO.NEWDREAM.NET)
Wed, 13 Jan 1999 11:59:56 -0800

Aleph, feel free to edit the first part out but I didn't find it in the
BUGTRAQ archives so just tacked it in.

Prelude: first got a brand new Ultra10 from sun, and surprsingly it had
two root partitions.  So booted from the second root, and found, in addition to
the system accts, an account: sfa (sun field admin???) ran crack against it and
the password ended up being: 'debug' no single quotes.  This was a brand new,
Solaris 2.6 box.

Question: at one of the sites I work at, we run NIS and NIS+ and I found that
even though NIS and NIS+ servers use a high ephemeral port, upon reboot this
port didn't change in some of the machines.

In effect this means that I can write scripts to connect directly to the port
and by-pass the portmapper.  Why is this bad?  Well because a lot of sites
just block 111 (portmapper) and leave the rest open (ftp other stuff might
need them).  In addition, since it doesn't run from inetd, I am pretty sure
you can't run tcpwrappers.  Since it bypasses the portmapper, a secure
portmapper isn't much good either.  So if I can guess the high port, I can,
in the case of NIS, get the hashed passwds quite easily.

Workarounds include checking what ephem port your server runs, and blocking it
at the firewall.  Just cutting off your NIS/NIS+ server from the outside world.

What I want to find out: is this ephermeral port selection related to OS
release?  To this end I am asking the BUGTRAQ readership to answer the
following informal poll, I will organize the results and post a summary.
Obviously I don't want your actual IP or location, but would like:

OS Release:
Hardware:
NIS or NIS+:
same ports on reboot?:
Patch level: <current | some_patches | patches_are_for_wimps>
Ephem port for: ypserv, ypbind, yppasswd, nisd, nispasswd

uname -a, rpcinfo -p server, should give you all the info above.  Below is
data for machines I have already checked.  But, conflicting or supporting
date is appreciated.

                                                thx -DAL-

-----------------------

OS Release: SunOS 5.5.1
Hardware: sparc10
NIS or NIS+: NIS+
same ports on reboot?: yes
Patch level: no patches (there is a reason for this! I swear)
Ephem port for: ypserv, ypbind, yppasswd, nisd, nispasswd                           100300    3   udp  32772  nisd
    100300    3   tcp  32771  nisd
    100303    1   tcp  32777  nispasswd

OS Release: SunOS 5.6
Hardware: sparc20
NIS or NIS+: NIS
same ports on reboot?: <1024 changed, ephem ports same
Patch level: some patches
Ephem port for: ypserv, ypbind, yppasswd, nisd, nispasswd
    100004    2   udp    772  ypserv
    100004    1   udp    772  ypserv
    100004    1   tcp    773  ypserv
    100004    2   tcp  32772  ypserv
    100007    3   udp  32776  ypbind
    100007    2   udp  32776  ypbind
    100007    1   udp  32776  ypbind
    100007    3   tcp  32774  ypbind
    100007    2   tcp  32774  ypbind
    100009    1   udp    788  yppasswdd
    100007    1   tcp  32774  ypbind

OS Release: SunOS 5.6
Hardware: Ultra1
NIS or NIS+: NIS+
same ports on reboot?: unknown awaiting result
Patch level: current
Ephem port for: ypserv, ypbind, yppasswd, nisd, nispasswd
    100300    3   udp  35160  nisd
    100300    3   tcp  37795  nisd
    100303    1   tcp  37801  nispasswd

--
-DAL-
dylannewdream.net