Tutorial - NIS Password File Access

NIS Password File Access

Summary

This vulnerability allows for NIS password file access by arbitrary hosts.

Impact

A malicious user can perform automated password guessing attacks. In other words, a hacker using a specially designed program will be able to retrieve passwords from the target system, thereby allowing him/her access to the system.

Background

The NIS (Network Information Service) implements network-wide access to administrative information. Examples of databases (also called NIS maps) that are shared via NIS include:

the password file that describes what users have access to the system,
the table with names and addresses of hosts on the network, and
electronic mail aliases.

NIS databases are organized in domains. One NIS server can serve multiple NIS domains. When queries are performed, a client sends a request to an NIS server specifying the NIS domain name, the name of the database (NIS map) to be searched and a search key.

The Problem

Many NIS implementations provide no access control. All hosts requesting information will receive a reply. In order to perform a query, one needs to know the server's NIS domain name. This domain name is often easy to guess, or it can be obtained via the bootparam network service. Whenever a local network is accessible from other networks, a remote intruder can collect password file information and run a password-guessing program. Often, these passwords are easy to guess.

Resolution

To correct this vulnerability, system administrators should refer to their system documentation or vendor patch list, since many vendors have added access control to their ypserv implementation. The control file is sometimes called securenets.

One workaround is to run a portmapperwith access control. Another possible solution is to consider blocking port 111 (portmap) on the router. This makes attacks on NIS and NFS mount daemons more difficult. Password policy could be enforced by installing an alternative passwd command, such as anlpasswd.

Where can I read more about this?

See the Admin Guide to Cracking for an example of why this vulnerability is a problem. Also, you can read more about general NIS issues and other NIS vulnerabilities at the CERT/CC Advisories page.