From owner-freebsd-security Tue Mar 5 10:07:46 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id KAA11801 for security-outgoing; Tue, 5 Mar 1996 10:07:46 -0800 (PST) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id KAA11792 for ; Tue, 5 Mar 1996 10:07:11 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.7.4/8.6.10) with SMTP id KAA11869 for freebsd-security@freebsd.org; Tue, 5 Mar 1996 10:06:30 -0800 (PST) From: Cy Schubert - BCSC Open Systems Group Message-Id: <199603051806.KAA11869@passer.osg.gov.bc.ca> X-Authentication-Warning: passer.osg.gov.bc.ca: Host localhost [127.0.0.1] didn't use HELO protocol Reply-to: cschuber@orca.gov.bc.ca X-Mailer: DXmail To: freebsd-security@freebsd.org Subject: Ypghost Announced Date: Tue, 05 Mar 96 10:06:29 -0800 X-Mts: smtp Sender: owner-security@freebsd.org Precedence: bulk I recently came across this on comp.security.unix. I'm posting it here as a heads up. -------------------- Forwarded Message ----------------------------- Hello, Ypghost is now finally on general release. It can be obtained from: http://www.scit.wlv.ac.uk/~cs6171/hack/progs/ypghost/ypghost.html Ypghost effectively adds false (ghost) entries to NIS maps. It does this by watching the local network for UDP packets that are calls to the YPPROC_MATCH function of the RPC program YPPROG, and then sends out false replies. Ypghost performs NIS spoofing as described in a paper on NIS security written by D.K.Hess, D.R.Safford and U.W.Pooch. The most obvious implication is that false entries can be added to the NIS maps passwd.byname, passwd.byuid, passwd.adjunct.byname thus allowing possibly unauthorised root access. The impact of such a weakness is vastly weakened by the fact that an unauthorised person must be able to listen for, and send packets, on the communication path between the NIS client and the NIS server. In practice this means that ypghost must be run as root on a machine on the same local network, so in some ways it certainly isn't the best hacker's tool ever written. Despite this its still fairly neat since lots of people seem to talk about spoofing, but you don't often see it done in practice. It does however rely on the spoofed response reaching the client before the real one, but in practice I don't see this as a significant problem. Ypghost currently has the limitation that it only supports ethernet type interfaces, IP version 4 (with no fragmentation or options), UDP, RPC version 2 (with AUTH_NULL), YPPROG version 2, and assuming the -p option is not specified, PMAP_PROG version 2. I expect the majority of systems to comply with all these conditions though. Ypghost has been written to be fairly portable, using the 'libpcap' portable packet capturing library to receive packets, and raw sockets to transmit packets. Unfortunately old kernels don't allow you to set the source address, so it won't work with SunOS 4.1 kernels or standard current linux kernels (I expect linux will be fixed very soon however). Ypghost is known to work on: SunOS 5.4 (solaris) Linux 1.2.13 & 1.3.14 (details of how to modify kernel supplied). It also compiles and runs on FreeBSD 2.1.0, although I have not been able to test whether it does definitely work. I couldn't comment about other versions of unix, but anything with libpcap, an ANSI compiler, and a *decent* implementation of raw sockets should work. Note that ypghost needs the libpcap library. The standard version works fine on SunOS (and many other platforms) and there is also a patched version for linux available (which isn't incorporated into the standard release I think because work on libpcap seems to have stopped at version 0.0.6 !). FreeBSD (at least) seems to come with libpcap as standard. I'll probably put both libpcap and libpcap for linux on my page, or at least details where to get them from. Arny - cs6171@scitsc.wlv.ac.uk http://www.scit.wlv.ac.uk/~cs6171/hack/index.html ------------------------ End of Forwarded Message --------------------- Regards, Phone: (604)389-3827 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET BC Systems Corp. Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it."