ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #362 [Yellow Pages Bug] (1 message, 1400 bytes)
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
From: prcrs!paul@uunet.UU.NET (Paul Hite)
Date: Fri 16:16:32 13/01/1989 EST
Subject: Yellow Pages Bug
References: [Thread Prev: 361] [Thread Next: 363] [Message Prev: 361] [Message Next: 363]
Ning Zhang has found a serious security problem with all versions of Yellow Pages. The problem is that yypasswd(3) will allow any user to set his password field to any string. This includes embedded colons and newlines. Thus, one can introduce whole new records in /etc/passwd. Zhang has written a program which can insert bogus lines in /etc/passwd. We know for certain that the bug exists in Sun-Os, Ultrix, and HP-UX. We suspect that it is in all versions of Yellow Pages. As far as we know, Zhang discovered the bug a few week ago. I have emailed a very few people regarding this bug. This is the first mass mailing of any kind. I will probably report the bug to the zardoz security list sometime next week. Below are some comments that Zhang has regarding the bug. These comments are from Zhang's program to exploit the bug. I have taken the advice against publishing the code to the program itself. I will not publish the code in the zardoz list. Paul Hite PRC Realty Systems McLean,Va uunet!prcrs!paul (703) 556-2243 DOS is a four letter word! ====================================================================== ** COPYRIGHT (C) 1989 NING ZHANG. ** ALL RIGHTS STRICTLY RESERVED. ** REDISTRIBUTION IS STRICTLY FORBIDDEN. ** THE PROGRAM IS ONLY FOR YP BUG TESTING. ** ** Ning Zhang ** ** Email: email@example.com or ...mcvax!unido!zgdvda!zhang ** ** Current Address: Computer Graphics Center ** Wilhelminenstr. 7 ** 6100, Darmstadt ** West Germany ** ** Permanent Address: Institute of Artificial Intelligence ** (Department of Computer Science and Engineering) ** Zhejiang University ** Hangzhou, P.R. China ** ** Suggestion for Fix: ** ** If you have source, you should first patch the Yellow Page function ** yppasswd(3) to limit the maximum length of encrypted password field ** to be 13 and not to allow `:' and `\n' to occur in this field, then ** rebuild all the Yellow Page stuffs again. ** If you have no source, you should patch yppasswd(1), yppasswdd(8), ** yppasswd(3) etc. with adb(1) and don't allow a general user to call ** yppasswd(3) by returning -1 immediately. ** ** ** This is another security bug I found besides the passwd/chsh/chfn ** discovery. Please e-mail me your testing result of this Yellow Page ** bug. Your suggestions, comments and references are very welcome. ** Thanks in advance.
END OF DOCUMENT
|ISSN 1742-948X 01 (Online) | 2005/03/01 | Copyright 2002-2008 securitydigest.org. All rights reserved.|