The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #362 [Yellow Pages Bug] (1 message, 1400 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/362.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: prcrs!paul@uunet.UU.NET (Paul Hite)
To: phage
Date: Fri 16:16:32 13/01/1989 EST
Subject: Yellow Pages Bug
References: [Thread Prev: 361] [Thread Next: 363] [Message Prev: 361] [Message Next: 363]

Ning Zhang has found a serious security problem with all versions of
Yellow Pages.  The problem is that yypasswd(3) will allow any user to
set his password field to any string.  This includes embedded colons and
newlines.  Thus, one can introduce whole new records in /etc/passwd.
Zhang has written a program which can insert bogus lines in /etc/passwd.
We know for certain that the bug exists in Sun-Os, Ultrix, and HP-UX.
We suspect that it is in all versions of Yellow Pages.

As far as we know, Zhang discovered the bug a few week ago.  I have emailed
a very few people regarding this bug.  This is the first mass mailing of
any kind.  I will probably report the bug to the zardoz security list
sometime next week.

Below are some comments that Zhang has regarding the bug.  These comments
are from Zhang's program to exploit the bug.  I have taken the advice
against publishing the code to the program itself.  I will not publish
the code in the zardoz list.

Paul Hite   PRC Realty Systems  McLean,Va   uunet!prcrs!paul    (703) 556-2243
                      DOS is a four letter word!
======================================================================
** COPYRIGHT (C) 1989 NING ZHANG.
** ALL RIGHTS STRICTLY RESERVED.
** REDISTRIBUTION IS STRICTLY FORBIDDEN.
** THE PROGRAM IS ONLY FOR YP BUG TESTING.
**
**	Ning Zhang
**
**	Email:  zhang@zgdvda.uucp or ...mcvax!unido!zgdvda!zhang
**
**	Current Address:   Computer Graphics Center
**			   Wilhelminenstr. 7
**			   6100, Darmstadt
**			   West Germany
**
**	Permanent Address: Institute of Artificial Intelligence
**			   (Department of Computer Science and Engineering)
**			   Zhejiang University
**			   Hangzhou, P.R. China
**
** Suggestion for Fix:
**
**	If you have source, you should first patch the Yellow Page function
**	yppasswd(3) to limit the maximum length of encrypted password field
**	to be 13 and not to allow `:' and `\n' to occur in this field, then
**	rebuild all the Yellow Page stuffs again.
**	If you have no source, you should patch yppasswd(1), yppasswdd(8),
**	yppasswd(3) etc. with adb(1) and don't allow a general user to call
**	yppasswd(3) by returning -1 immediately.
**
**
**	This is another security bug I found besides the passwd/chsh/chfn
**	discovery. Please e-mail me your testing result of this Yellow Page
**	bug. Your suggestions, comments and references are very welcome.
**	Thanks in advance.

END OF DOCUMENT