Bugtraq mailing list archives
Re: NIS and NIS+ ephemeral ports
From: rhooper () CYBERUS CA (Roy Hooper)
Date: Fri, 15 Jan 1999 10:45:47 -0500
Dylan Loomis wrote on Wednesday, January 13, 1999 3:00 PM:
Prelude: first got a brand new Ultra10 from sun, and surprsingly it had two root partitions. So booted from the second root, and found, in addition to the system accts, an account: sfa (sun field admin???) ran crack against it and the password ended up being: 'debug' no single quotes. This was a brand new, Solaris 2.6 box.
I just checked my Solaris 2.6x86 and Solaris 2.6 SPARC machines that have been installed clean from CD, and there is no "sfa" account. This appears to have something to do with the sun installation of Solaris.
In effect this means that I can write scripts to connect directly to the port and by-pass the portmapper. Why is this bad? Well because a lot of sites just block 111 (portmapper) and leave the rest open (ftp other stuff might need them). In addition, since it doesn't run from inetd, I am pretty sure you can't run tcpwrappers. Since it bypasses the portmapper, a secure portmapper isn't much good either. So if I can guess the high port, I can, in the case of NIS, get the hashed passwds quite easily. Workarounds include checking what ephem port your server runs, and blocking it at the firewall. Just cutting off your NIS/NIS+ server from the outside world.
Sun NIS (and probably others) support what is known as securenets, which is a list of IPs and Netmasks that are allowed to talk to your NIS server. This file resides in /var/yp, and seems to be read only at startup.
Current thread:
- NIS and NIS+ ephemeral ports Dylan Loomis (Jan 13)
- Re: NIS and NIS+ ephemeral ports Roy Hooper (Jan 15)
- Re: NIS and NIS+ ephemeral ports Joseph K Shraibman (Jan 17)
- <Possible follow-ups>
- Re: NIS and NIS+ ephemeral ports Friedrichs, Oliver (Jan 15)
- Re: NIS and NIS+ ephemeral ports ga (Jan 15)
- Re: NIS and NIS+ ephemeral ports Roy Hooper (Jan 15)