Ken Weaverling said... >-----BEGIN PGP SIGNED MESSAGE----- >A user here stumbled upon a nice gaping hole in Linux using NIS. I sent >mail to CERT about it TUESDAY LAST WEEK, and got a form letter back to >send. [...] >Anyway, the Linux used here is Slackware 2.2.0. Not sure if the hole >exists on others, and I've never seen it discussed elsewhere. I've tested >my DG/UX systems and they are fine. > >This hole is incredibly simple. If you are running NIS on Linux, I >can get root on your machine as easily as the famous -froot bug. No >exploit scripts, poking at ports, or peeking at packets. Darn simple. [...] >I know this is a full disclosure list, and I worry that others already know, >especially since numerous people here apparently already know, >so I am seriously considering posting details unless CERT stops ignorning >me. I emailed them again today about it as well. > >I am in a real tizzy about this. I can't even tell you how to protect >yourself without giving it away. Just disabling NIS will not be enough, >believe it or not. :-( If you have *EVER* run NIS on your Linux box, >you may be vulnerable :-( Since I believe in full disclosure, I'll go ahead and take a stab at it. I would guess that the problem is if you have "+::0:0:::" in your /etc/passwd file, anyone can do 'su +' and get root access. This hole seems to meet your criteria of being very simple and existing even with NIS disabled. However, the Linux yp-client v1.6 docs clearly state that you should add an entry like "+:*:0:0:::" to your passwd file, which would not allow you to 'su +' and get root access. The real problem seems to be that Linux will recognize '+' as being a valid user. Most other OS's (such as SunOS and Ultrix) do not. Best of luck, - Chris <cellwood@gauss.calpoly.edu>