GNU libc glibc: NIS shadow password

2010-01-17 / 2010-01-18
Risk: High
Local: No
Remote: Yes
CWE: CWE-255


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

On Mon, 11 Jan 2010 10:52:08 +0100 Tomas Hoger <thoger@redhat.com> wrote: > > No, that's not true. I have no experience with Linux NIS servers, > > but when the NIS server runs on Solaris (Sun Microsystems is the > > inventor of NIS), the shadow password information, which is in the > > passwd.adjunct.byname map, on the NIS clients can only be seen by > > root. When other users call for example "ypcat > > passwd.adjunct.byname", they get an error message that the map does > > not exist. Also, on Solaris NIS clients, the shadow password cannot > > be seen with getpwnam. > > According to ypserv.conf man page <A NAME="-1"></A>[1], it is possible to restrict data > from some map only to clients using a privileged (< 1024) source port. Yes, and this is the default at least in Debian and Ubuntu NIS servers. > Does Solaris possibly do the same (when configured to do so)? I did a little testing with a Linux NIS client and a Linux NIS server, also with the same client and a Solaris NIS server. I used tcpdump to look at the network traffic and saw that, when ypcat is called as root, it uses privileged ports. Of course, when called by a non-root user, it only uses non-privileged ports. It seems that Linux NIS servers as well as Solaris NIS servers expect that the request is sent from a privileged port when someone wants to look at the "secret" maps, so it is not possible for every user to see the encrypted NIS passwords, but only for root. This is still a security risk in an environment where every user can connect his or her own notebook, but that's another problem. Regards Christoph

References:

http://www.openwall.com/lists/oss-security/2010/01/11/6
http://www.openwall.com/lists/oss-security/2010/01/08/2
http://www.openwall.com/lists/oss-security/2010/01/08/1
http://www.openwall.com/lists/oss-security/2010/01/07/3
http://svn.debian.org/viewsvn/pkg-glibc/glibc-package/trunk/debian/patches/any/submitted-nis-shadow.diff?revision=4062&view=markup
http://sourceware.org/bugzilla/show_bug.cgi?id=11134
http://marc.info/?l=oss-security&m=126320570505651&w=2
http://marc.info/?l=oss-security&m=126320356003425&w=2
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560333


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top