Rule:

--
Sid:
2088

--
Summary:
vulnerability in the rcp service ypupdated.

--
Impact:
Information disclosure and possible code execution.

Unauthorized super user access to the vulnerable host resulting in a 
compromise of all data on the host and any network resources that host 
is connected to. Full control of the victim is gained.

--
Detailed Information:
The ypupdated service is used in conjunction with NIS servers to 
remotely update changes made in NIS databases.

On recieving a request the yupdated service executes a make command 
using the Bourne shell. It is possible to execute code using 
metacharacters in the request.

Commands and code after the metacharacters in the request will be 
executed with the privileges of the super user on the vulnerable system.

--
Affected Systems:
	HP-UX 10.1, 10.10 and 10.20
	
	IBM AIX 3.2 and 4.1
	
	NEC EWS-UX/V (Rel4.2MP), (Rel4.2)
	NEC UP-UX/V (Rel4.2MP)
	NEC UX/4800 (64)
	
	SGI IRIX 3.2, 3.3, 3.3.1, 3.3.2, 3.3.3
	SGI IRIX 4.0, 4.0.1 T, 4.0.1,4.0.2, 4.0.3, 4.0.4 T, 4.0.4 B, 4.0.4, 4.0.5 IPR, 4.0.5 H, 4.0.5 G, 4.0.5 F, 4.0.5 E, 4.0.5 D, 4.0.5 A, 4.0.5 (IOP), 4.0.5
	SGI IRIX 5.0, 5.0.1, 5.1, 5.1.1, 5.2, 5.3 XFS, 5.3
	SGI IRIX 6.0, 6.0.1 XFS, 6.0.1
	
	Sun SunOS 4.1 PSR_A, 4.1, 4.1.1, 4.1.2, 4.1.3 c, 4.1.3 _U1, 4.1.3, 4.1.4 -JL, 4.1.4

--
Attack Scenarios:
The attacker needs to craft a specially formulated request to the 
rpc.ypupdated service containing a long username. An exploit for this 
vulnerability exists.

--
Ease of Attack:
Simple

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Apply pacthes for the affected systems as soon as possible.

Disable the rpc.ypupdated daemon.

Disallow all RPC requests from external sources and use a firewall to 
block access to RPC ports from outside the LAN.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

Bugtraq:
http://www.securityfocus.com/bid/1749

--