Rule: -- Sid: 2089 -- Summary: vulnerability in the rcp service ypupdated. -- Impact: Information disclosure and possible code execution. Unauthorized super user access to the vulnerable host resulting in a compromise of all data on the host and any network resources that host is connected to. Full control of the victim is gained. -- Detailed Information: The ypupdated service is used in conjunction with NIS servers to remotely update changes made in NIS databases. On recieving a request the yupdated service executes a make command using the Bourne shell. It is possible to execute code using metacharacters in the request. Commands and code after the metacharacters in the request will be executed with the privileges of the super user on the vulnerable system. -- Affected Systems: HP-UX 10.1, 10.10 and 10.20 IBM AIX 3.2 and 4.1 NEC EWS-UX/V (Rel4.2MP), (Rel4.2) NEC UP-UX/V (Rel4.2MP) NEC UX/4800 (64) SGI IRIX 3.2, 3.3, 3.3.1, 3.3.2, 3.3.3 SGI IRIX 4.0, 4.0.1 T, 4.0.1,4.0.2, 4.0.3, 4.0.4 T, 4.0.4 B, 4.0.4, 4.0.5 IPR, 4.0.5 H, 4.0.5 G, 4.0.5 F, 4.0.5 E, 4.0.5 D, 4.0.5 A, 4.0.5 (IOP), 4.0.5 SGI IRIX 5.0, 5.0.1, 5.1, 5.1.1, 5.2, 5.3 XFS, 5.3 SGI IRIX 6.0, 6.0.1 XFS, 6.0.1 Sun SunOS 4.1 PSR_A, 4.1, 4.1.1, 4.1.2, 4.1.3 c, 4.1.3 _U1, 4.1.3, 4.1.4 -JL, 4.1.4 -- Attack Scenarios: The attacker needs to craft a specially formulated request to the rpc.ypupdated service containing a long username. An exploit for this vulnerability exists. -- Ease of Attack: Simple -- False Positives: None Known -- False Negatives: None Known -- Corrective Action: Apply pacthes for the affected systems as soon as possible. Disable the rpc.ypupdated daemon. Disallow all RPC requests from external sources and use a firewall to block access to RPC ports from outside the LAN. -- Contributors: Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> -- Additional References: Bugtraq: http://www.securityfocus.com/bid/1749 --