COMMAND

    NIS

SYSTEMS AFFECTED

    Linux

PROBLEM

    This is  quite old,  but still  rules for  most of  the NIS hosts.
    Source by Ken Weaverling (weave@hopi.dtcc.edu) from Bugtraq List.

    You  know  how  you  put  +,  -,  and  @ entries in /etc/passwd to
    incorporate stuff from an NIS map?  Well, you can login with  that
    entry  too.  "  +"  is  a  damn  easy  login  to  try,  since most
    /etc/passwd files using NIS use an entry like...

        +:::::

    ... as the last line.

    This is why  just disabling NIS  is not enough.  If you forget  to
    remove these entries from /etc/passwd,  you are screwed.  All  uou
    have to do is to:

        telnet host.domain

    and when asked for login

        login:+

    put "+" and you're in with root priviledges.

    Note  that  this  works  with  su  and rlogin, but not everywhere!
    Let's take a look on Slackware 2.3/ kernel 1.2.13.  Logging in  as
    + on SW2.3/1.2.13 doesn't give  you anything bar a login  refused,
    IF the passwd entry says just '+'.   The latest SW says that  just
    + is all you need to pull  in entries with the latest libc in  use
    that comes with it.

    However,  if  the  entry  says  '+::0:0:::'  then you can login as
    root  via  telnet  (well,  you  could  if  we  didn't  bar  direct
    root logins), but just 'su +' will get you root of course.   Using
    an entry of '+:*:0:0:::' allows people to login but disallows  the
    root hole.

SOLUTION

    The fix is to  put a * in  the password field of  the NIS entries.
    This prevents login  from the local  /etc/passwd but doesn't  lock
    the incorporated  NIS entries  (a bit  inconsistent, but  oh well)
    example:

        +:*::::