-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Name: ypxfrd Version: read the details CERT vulnerability note: http://www.kb.cert.org/vuls/id/538033 Author: Janusz Niewiadomski <funkyshat_private> Date: October 10, 2002 Issue: ====== Improper arguments validation in ypxfrd may allow local attacker to read any file on the system. Description: ============ ypxfrd daemon is used for speed up the distribution of large NIS maps from NIS master to NIS slave servers. Details: ======== When getdbm procedure is called, ypxfrd daemon creates a path to the /var/yp/domain/map file (where domain and map are arguments provided in the request). Unfortunately it fails to check if both arguments contains slash or dot characters, thus making databases outside /var/yp directory accessible. A symlink done can override .pag / .dir file extension limitation, allowing local attacker to read any file on the system. The vendors was notified on August 27, 2002. The following systems are identified as affected by this vulnerability: Sun Microsystems Solaris SCO OpenServer Caldera OpenLinux Impact: ======= When ypxfrd is configured and running, local attacker is able to read any file on the system. As ypxfrd is typically run as root, this may lead to privilege escalation. It is also possible to remotely read DBM files outside /var/yp directory, depending on the securenets configuration. Vendor Response: ================ Please refer to CERT VU#538033 for more information. - -- Janusz Niewiadomski iSEC Security Research http://isec.pl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj2lrV8ACgkQC+8U3Z5wpu53CQCfbA9DrAdCAsU1NoOHoeQSSlQ3 XcYAoILEc7l3BYEJvYmEyp7hm8eqjJ8C =4E03 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Oct 10 2002 - 09:50:55 PDT