COMMAND
NIS+
SYSTEMS AFFECTED
Solaris 2.3...2.6, HpUX, NEC
PROBLEM
NIS+ and NIS are designed to assist in the administration of
networks by providing centralized management and distribution of
information about users, machines, and other resources on the
network. NIS+ is a replacement for NIS. A buffer overflow exists
in some versions of NIS+. The rpc.nisd program is an ONC RPC
agent that implements the NIS+ service. Generally, the data sent
to an RPC daemon has explicit maximum length, ensuring that it
will not overflow buffers of any reasonable size. However, one
NIS+ argument: nis_name, has no specific maximum length. In this
case the max length defaults to an unsafe value. Because NIS+
copies this argument onto fixed length buffers in the stack, an
attacker can corrupt the stack and cause the daemon to execute
arbitrary machine code. This problem was discovered by Josh
Daymont of ISS.
Additionally, if your NIS+ server is running in NIS compatibility
mode and if an intruder is able to crash the NIS+ server, the
intruder may be able to masquerade as an NIS server and gain
access to machines that depend on NIS for authentication. Finally,
if an intruder is able to crash an NIS+ server and there are
clients on the local network that are initialized by broadcast,
an intruder may be able to provide false initialization
information to the NIS+ clients. Clients that are initialized by
hostname may also be vulnerable under some circumstances.
To determining if you are vulnerable do following. On a Solaris
machine, issue the following commands to determine if you are
running rpc.nisd:
solaris% rpcinfo -p localhost | grep 100300
If you see the following output, or something similar, and you
have not installed a patch then you are vulnerable:
100300 3 udp 32773 nisd
100300 3 tcp 32771 nisd
SOLUTION
Until you are able to install the appropriate patch, it is
recommended to disable NIS+. If you must operate with an
unpatched version of NIS+, the risk may be mitigated using the
following strategies. (1) Limit external access to your
portmapper by blocking access to port 111 at your firewall or
router or (2) configure your system to mark the stack as
non-executable. For example, on Solaris systems running on sun4m,
sun4d and sun4u platforms, the variable noexec_user_stack in the
/etc/system file can be used to mark the stack as non-executable
by default. (3) Initialize newly installed NIS+ clients using a
method that does not rely on unauthenticated network information.
For example, on Solaris systems you can copy the
/var/nis/NIS_COLD_START file from an already existing NIS+ client,
and use that file as input to the nisinit command.
HP's patches are in process.
Some NEC systems are vulnerable. Patches are in progress and will
be available from:
ftp://ftp.meshnet.or.jp/pub/48pub/security
Sun Microsystems, Inc. released patches for Solaris 5.4, 5.5,
5.5.1, and 5.6. The patch numbers are as follows:
5.3 sparc 101318-91
5.4 sparc 101973-35
5.4 intel 101974-35
5.5 sparc 103187-38
5.5 intel 103188-38
5.5.1 sparc 103612-41
5.5.1 intel 103613-41
5.6 sparc 105401-13
5.6 intel 105402-13
Sun estimates that a patch for SunOS 5.3 will be available in
soon.