From cwf@soc.unl.ac.uk Wed May 29 22:38:37 1996 Received: from soc.unl.ac.uk (soc.unl.ac.uk [163.167.80.16]) by suburbia.net (8.7.4/Proff-950810) with SMTP id WAA28861 for ; Wed, 29 May 1996 22:38:11 +1000 Received: from jamshyd.unl.ac.uk (soc.unl.ac.uk) by soc.unl.ac.uk (5.x/SMI-SVR4) id AA14571; Wed, 29 May 1996 13:38:52 +0100 Date: Wed, 29 May 1996 13:38:47 +0100 (BST) From: Clifford Wesley Fulford X-Sender: cwf@jamshyd.unl.ac.uk To: best-of-security@suburbia.net Subject: NIS+ configuration Message-Id: Return-Receipt-To: cwf@soc.unl.ac.uk Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Below is the proposed text for bulletins further to CERT CA-92.10 and CIAC G-23, which I thought you might find of interest. Implementing the workarounds proposed in the CERT/CIAC advisories could still leave sites vulnerable to ordinary users gaining root privilages. Clifford W Fulford CBF-International ------------------------------------------------------------------ CERT Advisory CA-96.10 CIAC Advisory G-23 Topic: NIS+ configuration Vulnerability ----------- The vulnerability to mis-configuration of the NIS+ passwd table extends beyond that described in the above bulletins. All sites which use the command line or scripts to create user accounts are potentially vulnerable. Description. ----------- The problem occurs when additions to the table are made from the command line or in a script. In addition to the table and column permissions as described in the above referenced bulletins consideration must be given to the entry permissions. By default the entry's owner has modify permission on their entry. This is known to be a problem at least up to Solaris 2.4. The permissions on an entry may be seen with the command niscat -o [name=username],passwd.org_dir. This will produce output similar to Object Name : passwd Owner : hostname.domainname. Group : admin.domainname. Domain : org_dir.domainname. Access Rights : ----rmcdr---r--- Time to Live : 12:0:0 Object Type : ENTRY Entry data of type passwd_tbl [1] - [4 bytes] 'username' [2] - [14 bytes] Encrypted data [3] - [4 bytes] '586' [4] - [4 bytes] '220' [5] - [31 bytes] 'An Illustrative User Name' [6] - [16 bytes] '/home/ugrad/username' [7] - [9 bytes] '/bin/ksh' [8] - [24 bytes] Encrypted data It is the owners permissions here that are critical. The owner has modify rights on their own entry. By default the entry will be owned by the creator (hostname.domain. if created by root or adminuser.domain. if created by a member of the NIS+ domain's admin group) but its is usual to change the owner to user to permit password changes (this is done automatically if using admintool). If the owner now logs on and issues the command nistbladm -m uid=0 [name=username],passwd.org_dir he or she will gain root privileges. (It may take a little while for the new UID to be disseminated if there are replica servers which are servicing the NIS+ requests faster than the master). No special privileges such admin group membership are required to do this. Workarounds ----------- To change the permissions on the entry the command nischmod na=,o=r [name=username],passwd.org_dir Now if we look at the permissions on the entry we should see. Object Name : passwd Owner : username.domainname. Group : admin.domainname. Domain : org_dir.domainname. Access Rights : ----r----------- Time to Live : 12:0:0 Object Type : ENTRY Entry data of type passwd_tbl [1] - [4 bytes] 'username' [2] - [14 bytes] Encrypted data [3] - [4 bytes] '586' [4] - [4 bytes] '220' [5] - [31 bytes] 'An Illustrative User Name' [6] - [16 bytes] '/home/ugrad/username' [7] - [9 bytes] '/bin/ksh' [8] - [24 bytes] Encrypted data Again these are the permissions and ownership that would be set using admintool. I can provide scripts to change all user entries to the correct ownership and permissions (this should be done immediately by any sites who identify this problem) and account creation scripts that will create new users with secure permission. Clifford W. Fulford. CBF-International. ------------------------------------------------------------------- currently at University of North London ISS-UNIX development E-mail: Clifford@soc.unl.ac.uk Clifford@compulink.co.uk C.Fulford@unl.ac.uk