Overview

A vulnerability in the ypxfrd daemon may allow a local attacker to read arbitrary files on the vulnerable system.

Description

Janusz Niewiadomski, of iSEC, discovered this vulnerability and produced the following advisory.

`Issue:

Improper arguments validation in ypxfrd may allow local attacker to read any file on the system.
Description:

ypxfrd daemon is used for speed up the distribution of large NIS maps from NIS master to NIS slave servers.
Details:

When getdbm procedure is called, ypxfrd daemon creates a path to the /var/yp/domain/map file (where domain and map are arguments provided in the request). Unfortunately it fails to check if both arguments contains slash or dot characters, thus making databases outside /var/yp directory accessible. A symlink done can override .pag / .dir file extension limitation, allowing local attacker to read any file on the system.
Impact:

When ypxfrd is configured and running, local attacker is able to read any file on the system. It is also possible to remotely read database outside /var/yp directory, depending on the securenets configuration.`

---

Impact

A local attacker my be able to read any file on the vulnerable system. This may lead to privilege escalation.

---

Solution

Apply a patch.

---

Vendor Information

538033

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

IBM __ Affected

Notified: August 28, 2002 Updated: October 10, 2002

Status

Affected

Vendor Statement

The AIX operating system is vulnerable to the issue detailed above in the advisory. This affects AIX releases 4.3.3 and 5.1.0 An efix package for this issue will be available from the IBM software ftp site by 10/16/2002 at the latest. The package will be located at:

<ftp://ftp.software.ibm.com/aix/efixes/security/ypserv_efix.tar.Z&gt;

The efix packages can be downloaded via anonymous ftp from ftp.software.ibm.com/aix/efixes/security.

This directory contains a README file that gives further details on the efix packages.

The APARs for this vulnerability are:

AIX 4.3.3: IY34800 ( available approx 10/16/2002 )
AIX 5.1.0: IY34664 ( currently available )

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

Sun Microsystems Inc. __ Affected

Updated: October 10, 2002

Status

Affected

Vendor Statement

The Solaris ypxfrd(1M) and ypserv(1M) daemons ares affected by this issue in all currently supported versions of Solaris:

Solaris 2.6, 7, 8, and 9

Patches are being generated for all of the above releases. Sun will be publishing Sun Alert #47903 for this issue shortly. The Sun Alert will be available from:

<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F47903&gt;

The patches will be availble from:

<http://sunsolve.sun.com/securitypatch&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

The SCO Group (SCO UnixWare) __ Affected

Notified: August 28, 2002 Updated: September 18, 2002

Status

Affected

Vendor Statement

SCO OpenServer is vulnerable to this issue, and we are currently working on a fix. Caldera OpenLinux is also vulnerable, and a fix is in progress. SCO Open UNIX and SCO UnixWare are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

Apple Computer Inc. __ Not Affected

Notified: August 28, 2002 Updated: September 03, 2002

Status

Not Affected

Vendor Statement

Mac OS X and Mac OS X Server do not contain the vulnerability described in this report.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

Cray Inc. __ Not Affected

Notified: August 28, 2002 Updated: September 04, 2002

Status

Not Affected

Vendor Statement

Cray Inc. is not vulnerable as it does not include the ypxfrd daemon as part of its NIS implementation.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

Debian __ Not Affected

Notified: August 28, 2002 Updated: October 30, 2002

Status

Not Affected

Vendor Statement

Debian is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

FreeBSD __ Not Affected

Notified: August 28, 2002 Updated: September 18, 2002

Status

Not Affected

Vendor Statement

This vulnerability does not exist in FreeBSD’s implementation of the NIS map transfer server, rpc.ypxfrd(8).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

MandrakeSoft __ Not Affected

Notified: August 28, 2002 Updated: October 11, 2002

Status

Not Affected

Vendor Statement

MandrakeSoft products are not vulnerable as we use an independent version from Thorsten Kukuk.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

NEC Corporation __ Not Affected

Notified: August 28, 2002 Updated: September 24, 2002

Status

Not Affected

Vendor Statement

sent on September 24, 2002

[Server Products]

• EWS/UP 48 Series operating system
  - is NOT vulnerable, since it does not support ypxfrd(1M).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

OpenBSD __ Not Affected

Notified: August 28, 2002 Updated: September 05, 2002

Status

Not Affected

Vendor Statement

We do not have this daemon. Various internal database formats made it very difficult for us to write code that would use this protocol; so we instead transfer maps using the older – slower – method.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

Red Hat Inc. __ Not Affected

Notified: August 28, 2002 Updated: August 29, 2002

Status

Not Affected

Vendor Statement

Red Hat products are not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

SGI __ Not Affected

Notified: August 28, 2002 Updated: August 29, 2002

Status

Not Affected

Vendor Statement

IRIX is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

SuSE Inc. __ Not Affected

Notified: August 28, 2002 Updated: August 29, 2002

Status

Not Affected

Vendor Statement

The implementation that we are using in all currently supported SuSE products is independent code from Thorsten Kukuk <[email protected]>. This code has a check for the occurrence of “/”-characters in the supplied filename, and bails out if this is the case. SuSE products are therefore not vulnerable to this problem.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

BSDI Unknown

Notified: August 28, 2002 Updated: August 29, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

Conectiva Unknown

Notified: August 28, 2002 Updated: August 29, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

Data General Unknown

Notified: August 28, 2002 Updated: August 29, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

Fujitsu Unknown

Notified: August 28, 2002 Updated: August 29, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

Guardian Digital Inc. Unknown

Notified: August 28, 2002 Updated: August 29, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

Hewlett-Packard Company Unknown

Notified: August 28, 2002 Updated: August 29, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

MontaVista Software Unknown

Notified: August 28, 2002 Updated: August 29, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

NeXT Unknown

Notified: August 28, 2002 Updated: August 29, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

NetBSD Unknown

Notified: August 28, 2002 Updated: August 29, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

Openwall GNU/*/Linux Unknown

Notified: August 28, 2002 Updated: August 29, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

Sequent Unknown

Notified: August 28, 2002 Updated: August 29, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

Sony Corporation Unknown

Notified: August 28, 2002 Updated: August 29, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

Unisys Unknown

Notified: August 28, 2002 Updated: August 29, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

Wind River Systems Inc. Unknown

Notified: August 28, 2002 Updated: August 29, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23538033 Feedback>).

View all 27 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://isec.pl/vulnerabilities/0006.txt&gt;
• <http://isec.pl/&gt;

Acknowledgements

Thanks to Janusz Niewiadomski for reporting this vulnerability. We also thank Sun Microsystems for their assistance.

This document was written by Ian A Finlay.

Other Information

CVE IDs:	CVE-2002-1199
Severity Metric:	4.50 Date Public: