SGI NIS Domain Name disclosure
| Description: | In what seems to be YET ANOTHER stupid SGI bug, the system is apparently "nice" enough to create a "home page" for new users in public_html/index.html or public_html/index.html.N if they already have an index.html. The problem is that this file often discloses the NIS domain name of the host, which obviously has serious repercusions. |
| Author: | Joerg Kuemmerlen <joku@BTGIX8.BGI.UNI-BAYREUTH.DE> |
| Compromise: | Leak of the NIS domain name. |
| Vulnerable Systems: | SGI O2 machines, presumably IRIX 6.3, 6.4 |
| Date: | 5 August 1997 |
Date: Tue, 5 Aug 1997 14:36:29 +0000
From: Joerg Kuemmerlen <joku@BTGIX8.BGI.UNI-BAYREUTH.DE>
To: BUGTRAQ@NETSPACE.ORG
Subject: Yet another (minor) SGI bug
Last Saturday I was cleaning up my web page directory, and
I found a 'index.html.N' file created by our new O2 (via NFS). Apparently
this is just a default home page 'outbox' was creating at the
time when I was first login onto the new O2 machine. Outbox was
even clever enough to realize that I already had a index.html and
was therefore writing the 'index.html.N' file. I was
close to deleting it, when I thought I might have a look on
the content of that file ;-))
I was a little bit angry, when I read that mail might be send to
me under an email address like
joku@O2internetaddress.NISDoimainname
I was tracing down the bug to a few lines in the outbox shell script
located at :
/var/X11/xdm/firsttime/outbox
There one finds :
#
# compute hostname
#
host=`/usr/bsd/hostname`
if [ -x /usr/bin/domainname ] ; then
hostonly=`echo $host | sed -e 's/\..*$//'`
thisdomain=`/usr/bin/domainname`
if [ "$thisdomain" != "" ] ; then
server=$host.$thisdomain
else
server=$host
fi
else
server=$host
fi
This line does all the damage:
thisdomain=`/usr/bin/domainname`
$thisdomain will contain the NIS daomain name,if NIS is running on the
machine.
The $server variable is finally used in the html file:
<p>Send <a href="mailto:$UserName@$server">email to me.</a>
<p>My machine is: <a href="/cgi-bin/MachineInfo">$host</a>
$server thus apparently contains the NIS domainname if NIS is running.
I guess that most of you know what to do in order to hack the
whole NIS domain once you have the NIS domain name ;-))
I was just crosschecking the whole thing with a few IRIX 6.3 and IRIX 6.4
machines running NIS and I found that the NIS domainname was written to
all default homepages *LOL*.
Furthermore I was checking a few O2 machines on the net - and again :
The NIS domain name could be found on the 'outbox' default homepages
of users, who most likely do not even know that they have a homepage
at all ;-)).
I guess the whole thing is a minor bug only: in most cases
I have checked NIS domain name and real domain name have
been identical (and easy to guess) anyway ;-))
Information has been sent to SGI Security headquarter and DFN-CERT
A few questions remain :
1.) Why has the domain name to be used ?? hostname would simply be enough.
2.) Do SGI software engineers think about their code at all ??
3.) Has all SGI software to be tested by users instead of SGI software
engineers ??
4.) When will SGI stop this kind of WWW nonsense ??
Cheers
Joerg
--
*************************************************************************
* Joerg Kuemmerlen | *
* Bayerisches Geo-Institut | It's a *
* Universitaet Bayreuth | fulltime *
* D-95440 Bayreuth | job for *
* Germany | anyone *
* | to stay *
* Tel.: ++49-921-55 37 19 | alive. *
* Fax : ++49-921-55 37 69 | *
* email: joku@uni-bayreuth.de | J. Cocker *
* WWW: http://torech-ungol.bgi.uni-bayreuth.de/~joku | *
*************************************************************************
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
