Solaris yppassword buffer overflow Version 0.2 - May 11, 2001 Description Please note that this is a preliminary characterization of the Solaris yppassword buffer overflow. We are making this version available to provide at least some information about it. Please check back over the next few days as the information is made more complete. A buffer overflow exploit (for the SPARC architecture) has been found in the wild which takes advantage of an unchecked buffer in the 'yppasswd' service on Solaris 6, 7 machines To check your system for vulnerability, use "rpcinfo -p | grep 100009" or you can use "ps -ef | grep yppassword". If you see something, your system is vulnerable to this exploit. Exploit log message: May9 13:56:56 victim-system yppasswdd[191]: yppasswdd: user @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@L @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@P" `"?-"?-"?-"? ; /bin/sh-c echo 'rje stream tcp nowait root /bin/sh sh - -i'>z;/usr/sbin/inetd -s z;rm z;: does not exist Symptoms: two inetds running: victim-system:# ps -ef | grep inetd root 209 10 Apr 30 ?0:18 /usr/sbin/inetd -s -t root8297 10 13:56:56 ?0:00 /usr/sbin/inetd -s z Effect: root shell on port 77/TCP she-ra:$ telnet victim-system rje Trying 130.65.86.56... Connected to victim-system.mathcs.sjsu.edu. Escape character is '^]'. # Detection While running the code against a "non vulnerable" Solaris system, Snort picks up the following: May 10 20:52:33 macew snort[30824]: IDS19/portmap-request-amountd: 192.168.4.38:654 -> 192.168.12.30:111 May 10 20:52:33 macew snort[30824]: IDS19/portmap-request-amountd: 192.168.4.38:654 -> 192.168.12.30:111 May 10 20:52:33 macew snort[30824]: IDS19/portmap-request-amountd: 192.168.4.38:654 -> 192.168.12.30:111 The following is the snort rule from whitehats, that picked this up: alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS19/portmap-request-autofsd"; rpc:10099,*,*;) Removal Protection The best solution is to firewall your boxe(s) that are running NIS from the internet. However this will not stop the insider attack. Sun has not release an official patch for this yet. A work around 1) would be to turn off yppasswdd. This is around line 133 or so in /usr/lib/netsvc/yp/ypstart. Just comment it out. The hack doesn't appear to work if yppassword is disabled with NIS still running. Please note in doing this, yppassword is not running and users cannot change their password. Another work around 2) is if you still need to run yppassword is to do the following: set noexec_user_stack = 1 set noexec_user_stack_log = 1 in /etc/system (after a reboot of course) Of course a different exploit could work around that but hopefully this will permit people to use yppasswd until a patch is forthcoming. This step has not been tested yet. References Further information can be found at: http://www.incidents.org http://www.sans.org/infosecFAQ/unix/NIS.htm, Security Issues in NIS http://www.sans.org/infosecFAQ/unix/sec_solaris.htm Securing Solaris Frequently Asked Questions - FAQ's I'm running Unix-like Operating System X on Processor Y. Am I vulnerable to this buffer overflow? The only class of systems currently attacked Solaris systems running on the Sparc processor architecture. I'm running some version of Windows. Am I vulnerable? Almost certainly not. Credits This security advisory was prepared by Matt Fearnow of the SANS Institute and Jose Nazario Also contributing efforts go to Melanie Humphrey for the 1) work around and Neil Long for the 2) work around and to Stephen Lee. Acknowledgements: Hackernews for heads up -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOwLRuukli63F4U8VAQHTfwP+LJz+Qsuq3fzU6P2Y0Qhy6j84Z+3dvMfW RiBTH0cHe8O26816gxvN8ffRn5xNYLjsGlv09RkM+hHnbFLH96K9q9hN7HchtWDJ lWWbo2u+5O5pqo/L7mI4oxlnDkq7/Ok2o8lNI4i2q4JpFb3vnbV390sZbkRipAAc ocgaErcdzJw= =WyJv -----END PGP SIGNATURE----