| VID |
12032 |
| Severity |
40 |
| Port |
|
| Protocol |
UDP |
| Class |
RPC |
| Detailed Description |
The remote RPC service 100009 (yppasswdd) is vulnerable to a buffer overflow which allows any user to obtain a root shell remotely on this host. The rpc.yppasswdd server is used to handle password change requests from yppasswd and modify the NIS password file.
A buffer overflow exploit (for the SPARC architecture) was discovered that takes advantage of an unchecked buffer in the 'yppassword' service on Solaris 2.6, 7 and 8 machines. The Intel/x86 version of Solaris 2.6, 7 and 8 may also be vulnerable.
Because the daemon is run as the superuser, it may be possible for local and remote users to execute arbitrary code/commands with full system privileges.
* Warning: The service may be crashed by a buffer overflow test. Therefore restarting the service is required in order to regain normal functionality.
* References:
http://online.securityfocus.com/bid/2763
http://www.iss.net/security_center/static/6629.php
* Platforms Affected:
Caldera OpenServer 5.0.5
Caldera OpenServer 5.0.6
Solaris 2.6
Solaris 7
Solaris 8 |
| Recommendation |
Disable this service if you don't use it. To disable this service:
You can find the following script around line 133 in /usr/lib/netsvc/yp/ypstart:
[$YPDIR/rpc.yppasswdd $PWDIR -m && echo 'rpc.yppasswdd\c']
Comment out the line, then execute /usr/lib/netsvc/yp/ypstop and ypstart commands in order.
The hack does not appear to work if yppassword is disabled with NIS still running. Please note in doing this, yppassword is not running and users cannot change their password.
-- OR --
Apply the appropriate patch or upgrade for the system.
For Sun Solaris:
Apply the appropriate linker patch as listed below, available from the SunSolve Web site, http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access
Solaris 2.6: 106303-03
Solaris 2.6_x86: 106304-03
Solaris 7: 111590-02
Solaris 7_x86: 111591-02
Solaris 8: 109320-01
Solaris 8_x86: 111597-02
For Caldera OpenServer 5.0.5 and 5.0.6:
Apply the appropriate fixed binaries for your system, as listed in Caldera International, Inc. Security Advisory CSSA-2002-SCO.19, ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.19/CSSA-2002-SCO.19.txt
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2001-0779 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
