Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Solaris - Buffer overflow in yppasswd service

Solaris - Buffer overflow in yppasswd service

by phiber on May 29th, 2001 A buffer overflow exploit (for the SPARC architecture) has been found in the wild which takes advantage of an unchecked buffer in the 'yppasswd' service on Solaris 2.6, 7 machines. The Intel/x86 version of Solaris 2.6 and 7 may be vulnerable but has not yet been tested.


To check your system for vulnerability, use "rpcinfo -p | grep 100009" or
you can use "ps -ef | grep yppassword". If you see something, your system is vulnerable to this exploit.



Exploit log message:



May 9 13:56:56 victim-system yppasswdd[191]: yppasswdd: user

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@L

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@@@@@@@@@@@@@@@@@P"

`"?-"?-"?-"? ; /bin/sh-c echo 'rje stream tcp nowait root /bin/sh sh

-i'>z;/usr/sbin/inetd -s z;rm z;: does not exist





Symptoms: two inetds running:



victim-system:# ps -ef | grep inetd

root 209 1 0 Apr 30 ? 0:18 /usr/sbin/inetd -s -t

root 8297 1 0 13:56:56 ? 0:00 /usr/sbin/inetd -s z





Effect: root shell on port 77/TCP



she-ra:$ telnet victim-system rje

Trying 192.168.10.5...

Connected to victim-system.example.com.

Escape character is '^]'.

#



Detection



While running the code against a "non vulnerable" Solaris system,
Snort picks up the following:



May 10 20:52:33 macew snort[30824]: IDS19/portmap-request-amountd:

192.168.4.38:654 -> 192.168.12.30:111



May 10 20:52:33 macew snort[30824]: IDS19/portmap-request-amountd:

192.168.4.38:654 -> 192.168.12.30:111



May 10 20:52:33 macew snort[30824]: IDS19/portmap-request-amountd:

192.168.4.38:654 -> 192.168.12.30:111



The following is the snort rule from whitehats, that picked this up:



alert UDP $EXTERNAL any -> $INTERNAL 111 (msg:

"IDS19/portmap-request-autofsd"; rpc: 10099,*,*;)



Protection



The best solution is to firewall your boxe(s) that are running NIS from
the internet. However this will not stop the insider attack.



Sun has not release an official patch for this yet. A workaround 1) would
be to turn off yppasswdd. This is around line 133 or so in
/usr/lib/netsvc/yp/ypstart. Just comment it out. The hack doesn't appear
to work if yppassword is disabled with NIS still running. Please note in
doing this, yppassword is not running and users cannot change their
password.



Another work around 2) is if you still need to run yppassword is to do
the following:



set noexec_user_stack = 1

set noexec_user_stack_log = 1

in /etc/system (after a reboot of course)



Of course a different exploit could work around that but hopefully this
will permit people to use yppasswd until a patch is forthcoming. This step
has not been tested yet.




Download the full report.


Credits:

This security advisory was prepared by Matt Fearnow of the SANS Institute and Jose Nazario.

Also contributing efforts go to Melanie Humphrey for the 1) workaround and Neil Long for the 2) workaround and to Stephen Lee. Acknowledgements:

Hackernews for heads up, and 'metaray' for discovering this vulnerability.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »