SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#538033

ypxfrd daemon fails to properly validate user supplied arguments in "getdbm" procedure

Overview

A vulnerability in the ypxfrd daemon may allow a local attacker to read arbitrary files on the vulnerable system.

I. Description

Janusz Niewiadomski, of iSEC, discovered this vulnerability and produced the following advisory.

Issue:
======
Improper arguments validation in ypxfrd may allow local attacker to read any file on the system.

Description:
============
ypxfrd daemon is used for speed up the distribution of large NIS maps from NIS master to NIS slave servers.

Details:
========
When getdbm procedure is called, ypxfrd daemon creates a path to the /var/yp/domain/map file (where domain and map are arguments provided in the request). Unfortunately it fails to check if both arguments contains slash or dot characters, thus making databases outside /var/yp directory accessible. A symlink done can override .pag / .dir file extension limitation, allowing local attacker to read any file on the system.

Impact:
=======
When ypxfrd is configured and running, local attacker is able to read any file on the system. It is also possible to remotely read database outside /var/yp directory, depending on the securenets configuration.

II. Impact

A local attacker my be able to read any file on the vulnerable system. This may lead to privilege escalation.

III. Solution

Apply a patch.

Systems Affected

VendorStatusDate Updated
Apple Computer Inc.Not Vulnerable3-Sep-2002
BSDIUnknown29-Aug-2002
ConectivaUnknown29-Aug-2002
Cray Inc.Not Vulnerable4-Sep-2002
Data GeneralUnknown29-Aug-2002
DebianNot Vulnerable30-Oct-2002
FreeBSDNot Vulnerable18-Sep-2002
FujitsuUnknown29-Aug-2002
Guardian Digital Inc. Unknown29-Aug-2002
Hewlett-Packard CompanyUnknown29-Aug-2002
IBMVulnerable10-Oct-2002
MandrakeSoftNot Vulnerable11-Oct-2002
MontaVista SoftwareUnknown29-Aug-2002
NEC CorporationNot Vulnerable24-Sep-2002
NetBSDUnknown29-Aug-2002
NeXTUnknown29-Aug-2002
OpenBSDNot Vulnerable5-Sep-2002
Openwall GNU/*/LinuxUnknown29-Aug-2002
Red Hat Inc.Not Vulnerable29-Aug-2002
SequentUnknown29-Aug-2002
SGINot Vulnerable29-Aug-2002
Sony CorporationUnknown29-Aug-2002
Sun Microsystems Inc.Vulnerable10-Oct-2002
SuSE Inc.Not Vulnerable29-Aug-2002
The SCO Group (SCO UnixWare)Vulnerable18-Sep-2002
UnisysUnknown29-Aug-2002
Wind River Systems Inc.Unknown29-Aug-2002

References


http://isec.pl/vulnerabilities/0006.txt
http://isec.pl/

Credit

Thanks to Janusz Niewiadomski for reporting this vulnerability. We also thank Sun Microsystems for their assistance.

This document was written by Ian A Finlay.

Other Information

Date Public10/09/2002
Date First Published10/10/2002 01:46:11 PM
Date Last Updated04/09/2003
CERT Advisory 
CVE-ID(s)CAN-2002-1199
NVD-ID(s)CAN-2002-1199
US-CERT Technical Alerts 
Metric4.50
Document Revision7

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader