I'm sending this out because I did not hear about these patches
from Sun's security lists or from CERT. There is an exploit for
this in the wild.
Dave Foster
Buffer Overflow in "rpc.yppasswdd" Process Might Lead to Unauthorized Root
13 Sep 2001
Description
Sun(sm) Alert Notification
* Sun Alert ID: 27486
* Synopsis: Buffer Overflow in "rpc.yppasswdd" Process Might Lead to
Unauthorized Root Access
* Category: Security
* Product: Solaris
* BugIDs: 4456994
* Avoidance: Patch, Workaround
* State: Resolved
* Date Released: 05-Jul-2001, 12-Sep-2001
* Date Closed: 12-Sep-2001
* Date Modified: 10-Aug-2001, 29-Aug-2001, 12-Sep-2001
1. Impact
Remote users may be able to gain unauthorized root access to a NIS
master server.
2. Contributing Factors
This issue can occur in the following releases:
SPARC
* Solaris 2.6 without patch 106303-03
* Solaris 7 without patch 111590-02
* Solaris 8 without patch 111596-02
Intel
* Solaris 2.6 without patch 106304-03
* Solaris 7 without patch 111591-02
* Solaris 8 without patch 111597-02
Note: Solaris 2.5 and 2.5.1 are not at risk.
Only NIS master servers that have the "rpc.yppasswdd" process running
are affected ("rpc.yppasswdd" will terminate when the described issue
is exploited - with or without success; see the "Symptoms" section
below.).
3. Symptoms
There are two symptoms that might show the described problem has been
exploited to gain unauthorized root access to a NIS master server
(these symptoms may be concealed by an unauthorized root user):
1. The "rpc.yppasswdd" process is no longer running (this is because
once the exploit completes, the "rpc.yppasswdd" process will exit).
As a result, users will no longer be able to change their NIS
password. The following command may be used to check if the
"rpc.yppasswdd" process is still running:
$ ps -ef | grep rpc.yppasswdd
2. A known exploit exists which, if successful, will start an
additional "inted" process. The following command may be used to
check for additional "inetd" processes:
$ ps -ef | grep inetd
An additional "inetd" process like in the following example output
would indicate an ongoing intrusion:
root 159 1 0 15:22:09 ? 0:00 /usr/sbin/inetd
-s
root 456 1 0 15:26:51 ? 0:00 /usr/sbin/inetd
-s
Here, "/usr/sbin/inetd -s " hints at an exploit of the described
issue
(on occurrence, "" will be the name of an arbitrary file).
Once a NIS master server has been successfully attacked, it may be
difficult to determine if the system has been compromised. The
unauthorized root user may have cleaned up the system to avoid
drawing attention to the exploit.
Solution Summary
Top
4. Relief/Workaround
As possible workarounds
1. Stop the "rpc.yppasswdd" process. This will prevent the described
exploit but also keep all users in the servers NIS domain from
changing their NIS password.
or
2. Enable "non-executable user program stacks" in the kernel by adding
the following lines to the NIS servers "/etc/system" file (a
subsequent reboot is required):
set noexec_user_stack = 1
set noexec_user_stack_log = 1
and restart the "rpc.yppasswdd" process. This will prevent the
current known exploit code from succeeding. Modified exploit code
may still be created to bypass this limited protection. This
workaround is only affective on sun4u, sun4m, and sun4d
architectures
(enter "uname -m" to display a systems architecture). This
workaround
will not work on Intel platforms.
An attack against a system using workaround 2 will fail but still
terminate the "rpc.yppasswdd" process, again preventing users from
changing their NIS password until the "rpc.yppasswdd" is restarted.
5. Resolution
This issue is addressed in the following releases:
SPARC
* Solaris 2.6 with patch 106303-03 or later
* Solaris 7 with patch 111590-02 or later
* Solaris 8 with patch 111596-02 or later
Intel
* Solaris 2.6 with patch 106304-03 or later
* Solaris 7 with patch 111591-02 or later
* Solaris 8 with patch 111597-02 or later
Change History
10-Aug-2001
* Patch 106303-03 (Solaris 2.6 SPARC) is available
29-Aug-2001
* Patches 111590-02 (Solaris 7 SPARC) and 111596-02 (Solaris
8
SPARC) are available
12-Sep-2001
* All patches are available
* State: Resolved
<< All opinions expressed are mine, not the University's >>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
David Foster National Center for Microscopy and Imaging Research
Programmer/Analyst University of California, San Diego
dfoster@ucsd.edu Department of Neuroscience, Mail 0608
(858) 534-7968 http://ncmir.ucsd.edu/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
"The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore, all progress
depends on the unreasonable." -- George Bernard Shaw
