yppasswdd detected
Created 6/1/01
CVE 2001-0779
Impact
A vulnerability in yppasswdd could allow a remote
attacker to execute arbitrary commands with root privileges.
Background
NIS is a set of services which provide
centralized account management and system configuration
capabilities for a Unix network. rpc.yppasswdd
is a service which runs as part of NIS to
provide users with the ability to change their passwords.
The Problem
Due to a buffer overflow condition, it is possible for an attacker
to overwrite the stack pointer in yppasswdd, thus
gaining the ability to execute arbitrary commands with root privileges.
The versions of yppasswdd included in Solaris 2.6 through
Solaris 8 (SunOS 5.6 through SunOS 5.8) are vulnerable.
Resolution
Disable the yppasswdd service if it is not
needed. This can be done by removing the execute permission
from rpc.yppasswdd as follows:
chmod a-x /usr/lib/netsvc/yp/rpc.yppasswdd
Also kill the currently running rpc.yppasswdd
process as follows:
ps -ef
kill <pid of rpc.yppasswdd>
where <pid of rpc.yppasswdd> is the process ID of the
rpc.yppasswdd process in the output from the
ps command.
The above workaround will deny users the ability to change
their own passwords. If this side-effect is not desired,
then a patch should be applied.
Check Sun Security Bulletin 209
for patch information.
Any servers running NIS should also be protected
by a firewall.
Where can I read more about this?
For more information, see Sun
Security Bulletin 209, and the
SANS Emergency Incident Handler.