Vulnerability Note VU#538033

ypxfrd daemon fails to properly validate user supplied arguments in "getdbm" procedure

Original Release date: 10 Oct 2002 | Last revised: 09 Apr 2003

Overview

A vulnerability in the ypxfrd daemon may allow a local attacker to read arbitrary files on the vulnerable system.

Description

Janusz Niewiadomski, of iSEC, discovered this vulnerability and produced the following advisory.

Issue:
======
Improper arguments validation in ypxfrd may allow local attacker to read any file on the system.

Description:
============
ypxfrd daemon is used for speed up the distribution of large NIS maps from NIS master to NIS slave servers.

Details:
========
When getdbm procedure is called, ypxfrd daemon creates a path to the /var/yp/domain/map file (where domain and map are arguments provided in the request). Unfortunately it fails to check if both arguments contains slash or dot characters, thus making databases outside /var/yp directory accessible. A symlink done can override .pag / .dir file extension limitation, allowing local attacker to read any file on the system.

Impact:
=======
When ypxfrd is configured and running, local attacker is able to read any file on the system. It is also possible to remotely read database outside /var/yp directory, depending on the securenets configuration.

Impact

A local attacker my be able to read any file on the vulnerable system. This may lead to privilege escalation.

Solution

Apply a patch.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
IBMAffected28 Aug 200210 Oct 2002
Sun Microsystems Inc.Affected-10 Oct 2002
The SCO Group (SCO UnixWare)Affected28 Aug 200218 Sep 2002
Apple Computer Inc.Not Affected28 Aug 200203 Sep 2002
Cray Inc.Not Affected28 Aug 200204 Sep 2002
DebianNot Affected28 Aug 200230 Oct 2002
FreeBSDNot Affected28 Aug 200218 Sep 2002
MandrakeSoftNot Affected28 Aug 200211 Oct 2002
NEC CorporationNot Affected28 Aug 200224 Sep 2002
OpenBSDNot Affected28 Aug 200205 Sep 2002
Red Hat Inc.Not Affected28 Aug 200229 Aug 2002
SGINot Affected28 Aug 200229 Aug 2002
SuSE Inc.Not Affected28 Aug 200229 Aug 2002
BSDIUnknown28 Aug 200229 Aug 2002
ConectivaUnknown28 Aug 200229 Aug 2002
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Janusz Niewiadomski for reporting this vulnerability. We also thank Sun Microsystems for their assistance.

This document was written by Ian A Finlay.

Other Information

  • CVE IDs: CAN-2002-1199
  • Date Public: 09 Oct 2002
  • Date First Published: 10 Oct 2002
  • Date Last Updated: 09 Apr 2003
  • Severity Metric: 4.50
  • Document Revision: 7

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.