|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
 |
Vulnerability Note VU#538033
ypxfrd daemon fails to properly validate user supplied arguments in "getdbm" procedure
OverviewA vulnerability in the ypxfrd daemon may allow a local attacker to read arbitrary files on the vulnerable system.
I. DescriptionJanusz Niewiadomski, of iSEC, discovered this vulnerability and produced the following advisory.
Issue:
======
Improper arguments validation in ypxfrd may allow local attacker to read any file on the system.
Description:
============
ypxfrd daemon is used for speed up the distribution of large NIS maps from NIS master to NIS slave servers.
Details:
========
When getdbm procedure is called, ypxfrd daemon creates a path to the /var/yp/domain/map file (where domain and map are arguments provided in the request). Unfortunately it fails to check if both arguments contains slash or dot characters, thus making databases outside /var/yp directory accessible. A symlink done can override .pag / .dir file extension limitation, allowing local attacker to read any file on the system.
Impact:
=======
When ypxfrd is configured and running, local attacker is able to read any file on the system. It is also possible to remotely read database outside /var/yp directory, depending on the securenets configuration.
II. ImpactA local attacker my be able to read any file on the vulnerable system. This may lead to privilege escalation.
III. SolutionApply a patch.
Systems Affected
References
http://isec.pl/vulnerabilities/0006.txt
http://isec.pl/
Credit
Thanks to Janusz Niewiadomski for reporting this vulnerability. We also thank Sun Microsystems for their assistance.
This document was written by Ian A Finlay.
Other Information
| Date Public: | 2002-10-09 |
| Date First Published: | 2002-10-10 |
| Date Last Updated: | 2003-04-09 |
| CERT Advisory: | |
| CVE-ID(s): | CAN-2002-1199 |
| NVD-ID(s): | CAN-2002-1199 |
| US-CERT Technical Alerts: | |
| Metric: | 4.50 |
| Document Revision: | 7 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|