SNI-27: Vulnerabilities in Sun NIS+

Thomas H. Ptacek (tqbf@SECURENETWORKS.COM)
Mon, 23 Mar 1998 13:04:35 -0700

-----BEGIN PGP SIGNED MESSAGE-----

###### ## ## ######
## ### ## ##
###### ## # ## ##
## ## ### ##
###### . ## ## . ######.

Secure Networks Inc.
in conjunction with

CORE SDI S.A.

Security Advisory
March 23, 1998

Security Issues in Sun NIS+

- -----------------------------------------------------------------------------

SYNOPSIS

The Network Information Server Plus (NIS+) is a network directory service
that provides management and resource location support (including
authentication and name resolution) to heterogenous distributed systems.
Due to implementation problems, the programs supporting NIS+ can be
exploited by an attacker to recover various pieces of system status
information.

It is important to understand that the issues highlighted in this advisory
present no immediate threat of remote compromise; with one exception (the
ability to disable NIS+ logging remotely), all the vulnerabilities
discussed in this advisory do nothing but leak system status and
configuration information. Because NIS+ is a security-critical service,
however, any security issues discovered in it are worth attention.

- -----------------------------------------------------------------------------

DESCRIPTION

NIS+, which replaces the original NIS (also known as "YP"), is made
available to a network via the ONC RPC mechanism, which allows NIS+
clients to interact with the server using remote procedure calls over a
network. The principle server program that supports this is "rpc.nisd",
the RPC NIS+ daemon.

Because the services provided by NIS+ are security-critical, NIS+
is designed to operate securely. An aspect of this design is the concept
of "security levels", which determine the amount of scrutiny given to
incoming RPC NIS requests.

There are three security levels, numbered 0 through 2. In level 0, the
NIS+ server (rpc.nisd) performs no authentication to determine the
legitimacy of incoming requests. This option is provided for debugging
purposes. In level 1, RPC AUTH_UNIX (client-presented UIDs and GIDs)
are used to authenticate requests. In level 2, the most secure level,
AUTH_DES is used to cryptographically authenticate incoming requests.

Unfortunately, even when the system is operating in security level 2,
which should mandate cryptographic authentication for all requests, the
rpc.nisd daemon provides several RPC calls that are not authenticated.
These calls allow a remote client to obtain sensitive system status
information from the NIS+ server.

The information available to a remote attacker includes NIS+ configuration
information (including the security level of the server and a list of
directory objects served by it), as well as the ability to determine valid
process IDs on the NIS+ server.

Additionally, one of the RPC calls available to remote clients can allow
an attacker to disable logging on the NIS+ server, as well as to
manipulate the NIS+ caches. This may allow attackers to degrade or deny
service on NIS+ servers.

The ability to use NIS+ to remotely ascertain valid process IDs is serious
because it allows an attacker the ability to predict certain random
numbers generated by Unix applications. Frequently, Unix applications
generate random numbers using the process ID and the current time, either
directly or as a seed to a random number generator.

- -----------------------------------------------------------------------------

TECHNICAL DETAILS

Three remote procedure calls made available by the NIS+ daemon "rpc.nisd"
have been identified. These are:

A. NIS_CALLBACK

Using the NIS_CALLBACK RPC, arbitrary clients can determine the validity
of a given PID (or, using multiple queries, to map out the identities of
all valid process IDs).

B. NIS_STATUS

Using the NIS_STATUS RPC, arbitrary clients can obtain information about
the NIS+ server configuration, including:

1. The server security level.
2. Whether the server is operating in NIS/YP compatibility mode.
3. Whether the server is a root NIS+ server.
4. Whether it is using it's own DNS resolver or forwarding DNS requests.
5. The list of all directory objects provided by this server.

C. NIS_SERVSTATE

Using the TAG_DEBUG option to this RPC, any remote user can turn off all
rpc.nisd logging. Using the TAG_*CACHE (D, for directory, T, for table,
and G, for group) option, the directory, table, and group caches can be
flushed.

- -----------------------------------------------------------------------------

VULNERABLE SYSTEMS

Solaris 2.x systems up to Solaris 2.5.1, making use of the Network
Information Service Plus (NIS+) system, are vulnerable to these problems.

- -----------------------------------------------------------------------------

RESOLUTION

These problems can be worked around using packet filters to block UDP
traffic to the NIS+ server. Blocking UDP to the NIS+ server from valid
NIS+ clients will cause the NIS+ system to fail.

SunSoft has been notified of this problem and is working on a fix.

- -----------------------------------------------------------------------------

ADDITIONAL INFORMATION

These problems were originally identified by CORE SDI S.A., an
Argentina-based computer security organization, in February of 1997.

More information about the NIS+ system is available in a technical
paper from SunSoft entitled "Network Information Service Plus (NIS+)", by
Chuck McManis and Saqib Jang. The paper is available at:

http://opcom.sun.ca/pub/docs/solaris/NISPlus.ps.Z

A list of frequently asked questions is available at:

http://ee.sun.ac.kr/~ramdrive/NIS+_FAQ.html

CERT Advisory CA-96.10 details a vulnerability in the NIS+ stemming
from improper configuration of password table permissions. The advisory
reprints AUSCERT Advisory AA-96.02. CERT advisories are available at

http://www.cert.org

A Spanish-language NIS+ reference is available at:

http://a01-unix.uc3m.es/~pduenas/nisplus.html

Further questions about this advisory can be addressed to Emiliano
Kargieman <ek@securenetworks.com> and Ivan Arce at
<ivan@securenetworks.com>.

- -----------------------------------------------------------------------------

ABOUT SECURE NETWORKS, INC.

Secure Networks, Inc. (SNI) is a security research and development company
based in Calgary, Alberta, Canada. SNI is the largest independent source
of full-disclosure security advisories and new vulnerability information
in the world. For more information about this or other advisories, contact
us at <sni@secnet.com>. A PGP key is provided if privacy is required.

For the full text of this and all of SNI's other advisories, see our web
page at "http://www.secnet.com/advisories/". General information about SNI
is available at "http://www.secnet.com".

- -----------------------------------------------------------------------------

COPYRIGHT INFORMATION

he contents of this advisory are Copyright (C) 1998 Secure Networks
Inc, and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.

- -----------------------------------------------------------------------------

Type Bits/KeyID Date User ID
pub 1024/9E55000D 1997/01/13 Secure Networks Inc. <sni@secnet.com>
Secure Networks <security@secnet.com>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5
uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa
rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR
tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM1yd
EB/bLKAOe7p9AQFptAQAiYpaZCpSmGgr05E698Z3t5r5BPAKUEtgvF53AvZUQLxz
ZsYsVU5l5De0qKWJOQ/9LiDyWu1lvKhlTphbLy2RatWD4kO3oQL9v3TpSXm2WQhU
uIzyZvj7S5ENodNnKn+gCDIvbou6OMot+7dRbWWgN2oabbru4CSlOxbG++yaTz+J
AJUDBRAzTefbtOXez5VgyLkBAd0bA/43eGEgvPOFK+HHWCPpkSWCwtrtDU/dxOVz
9erHnT/CRxeojCI+50f71Qe+kvx9Q1odz2Jl/fLxhnPQdbPnpWblIbu4F8H+Syrj
HTilDrl1DWa/nUNgK8sb27SMviELczP1a8gwA1eo5SUCG5TWLLTAzjWOgTxod2Ha
OwseUHmqVIkAlQMFEDNOVsr/d6Iw8NVIbQEBxM0D/14XRfgSLwszgJcVbslMHm/B
fF6tHoWYojzQle3opOuMYHNN8GsMZRkc1qQ8QuNA9Aj5+qDqEontGjV5IvhBu1fY
FM77AhagskaFCZxwqV64Qrk328WDO89NGSd+RuovVNruDdn20TxNCEVuPTHjI0UA
8H+E6FW9jexg6RTHhPXYtCVTZWN1cmUgTmV0d29ya3MgPHNlY3VyaXR5QHNlY25l
dC5jb20+iQCVAwUQMtqTKB/bLKAOe7p9AQFw5wQAgUwqJ+ZqfEy/lO1srU3nzxLA
X0uHGHrMptRy/LFo8swD6G1TtWExUc3Yv/6g2/YK09b5WmplEJ+Q09maQIw+RU/s
cIY+EsPauqIq4JTGh/Nm0Z4UDl2Y1x4GNtm0YqezxUPS0P0A3LHVLJ3Uo5og0G8O
gPNrfbVz5ieT14OSCWCJAJUDBRAy2hd2/3eiMPDVSG0BAVNhBACfupfAcNhhnQaq
aI03DOOiZSRjvql1xw4V+pPhM+IksdSK3YNUZVJJtANacgDhBT+jAPRaYbBWI3A5
ZMdcSNM8aTG0LWMLIOiOYEm6Lgd3idRBFN0Js08eyITl8mhZ33mDe4I0KQri9UiV
ZcPYTbb9CWM6Hv2cMbt6S6kLnFziqIkAlQMFEDLaF0+4CIRSnlUADQEBCLoEAJwt
UofDgvyZ4nCDx1KKAPkkXBRaPMWBp46xeTVcxaYiloZfwHfpk1h2mEJAxmAsvizl
OtIppHl4isUxcGi/E2mLCLMvis22/IQP/9obPahPvgNaMLVtZljO1Nv3QFEkNciL
FEUTNJHR1ko7ibCxkBs4cOpirFuvTMDvWnNaXAf8
=DchE
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNRa8JLgIhFKeVQANAQEqkQP/UD3z7OdWWVqX4/VbOjxiSy4gc0syJ1ua
YBBbffyFumdhkp73RbL6nT2tj+hDuq+hwkn7KcuFQWzP2MctPIfZ9mNH9+QjY4xf
OkfnEsNiN+SrkVKFp2uAsde8jqtiAnBT3pdWSSxVlhKaNbV/hk+qM7rBv689szP3
TTAYI8UAfvU=
=ty31
-----END PGP SIGNATURE-----