The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #363 [Re: Yellow Pages Bug] (1 message, 786 bytes)
NOTICE: recognises the rights of all third-party works.


From: Jon Rochlis <jon@ATHENA.MIT.EDU>
To: [not phage]
Date: Fri 23:09:06 13/01/1989 EST
Subject: Re: Yellow Pages Bug
References: [Thread Prev: 362] [Thread Next: 364] [Message Prev: 362] [Message Next: 364]


Feel free to pass this on if you feel it's interesting ...

On a releated note, there probably quite serious problems with YP even
forgeting about yppasswd and that flavor of attack.  I don't know much
about YP's implementation and haven't used Suns in about a year and
half, but spoofing the YP server shouldn't be difficult at all.  What
happens if I flood a target machine with YP responses for a
/etc/passwd yp lookup for root (or some random username with uid = 0)
including a password string I know (or no password).  Odds are my
packets will get there first (and in quantity) and any reply from the
real YP server will be lost.  Presto I'm in.

The attack is only slightly more difficult if YP uses source IP
addresses and/or low number ports
for authentication: then I need root someplace or a PC on the net or
something like that, but we should assume that is trivial to come by
in this day and age.  Faking the IP addresses is trivial.  (And I can
do it from anywhere on the Internet.)

		-- Jon