Aleph, feel free to edit the first part out but I didn't find it in the BUGTRAQ archives so just tacked it in. Prelude: first got a brand new Ultra10 from sun, and surprsingly it had two root partitions. So booted from the second root, and found, in addition to the system accts, an account: sfa (sun field admin???) ran crack against it and the password ended up being: 'debug' no single quotes. This was a brand new, Solaris 2.6 box. Question: at one of the sites I work at, we run NIS and NIS+ and I found that even though NIS and NIS+ servers use a high ephemeral port, upon reboot this port didn't change in some of the machines. In effect this means that I can write scripts to connect directly to the port and by-pass the portmapper. Why is this bad? Well because a lot of sites just block 111 (portmapper) and leave the rest open (ftp other stuff might need them). In addition, since it doesn't run from inetd, I am pretty sure you can't run tcpwrappers. Since it bypasses the portmapper, a secure portmapper isn't much good either. So if I can guess the high port, I can, in the case of NIS, get the hashed passwds quite easily. Workarounds include checking what ephem port your server runs, and blocking it at the firewall. Just cutting off your NIS/NIS+ server from the outside world. What I want to find out: is this ephermeral port selection related to OS release? To this end I am asking the BUGTRAQ readership to answer the following informal poll, I will organize the results and post a summary. Obviously I don't want your actual IP or location, but would like: OS Release: Hardware: NIS or NIS+: same ports on reboot?: Patch level: <current | some_patches | patches_are_for_wimps> Ephem port for: ypserv, ypbind, yppasswd, nisd, nispasswd uname -a, rpcinfo -p server, should give you all the info above. Below is data for machines I have already checked. But, conflicting or supporting date is appreciated. thx -DAL- ----------------------- OS Release: SunOS 5.5.1 Hardware: sparc10 NIS or NIS+: NIS+ same ports on reboot?: yes Patch level: no patches (there is a reason for this! I swear) Ephem port for: ypserv, ypbind, yppasswd, nisd, nispasswd 100300 3 udp 32772 nisd 100300 3 tcp 32771 nisd 100303 1 tcp 32777 nispasswd OS Release: SunOS 5.6 Hardware: sparc20 NIS or NIS+: NIS same ports on reboot?: <1024 changed, ephem ports same Patch level: some patches Ephem port for: ypserv, ypbind, yppasswd, nisd, nispasswd 100004 2 udp 772 ypserv 100004 1 udp 772 ypserv 100004 1 tcp 773 ypserv 100004 2 tcp 32772 ypserv 100007 3 udp 32776 ypbind 100007 2 udp 32776 ypbind 100007 1 udp 32776 ypbind 100007 3 tcp 32774 ypbind 100007 2 tcp 32774 ypbind 100009 1 udp 788 yppasswdd 100007 1 tcp 32774 ypbind OS Release: SunOS 5.6 Hardware: Ultra1 NIS or NIS+: NIS+ same ports on reboot?: unknown awaiting result Patch level: current Ephem port for: ypserv, ypbind, yppasswd, nisd, nispasswd 100300 3 udp 35160 nisd 100300 3 tcp 37795 nisd 100303 1 tcp 37801 nispasswd -- -DAL- dylanat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:28:47 PDT