Multiple Vendor NIS rpc.ypupdated YP Map Update Arbitrary Remote Command Execution

High Nessus Plugin ID 31683

Synopsis

'ypupdated -i' is running on this port.

Description

ypupdated is part of NIS and allows a client to update NIS maps.

This old command execution vulnerability was discovered and fixed in 1995. However, it is still possible to run ypupdated in insecure mode by adding the '-i' option.
Anybody can easily run commands as root on this machine by specifying an invalid map name that starts with a pipe (|) character. Exploits have been publicly available since the first advisory.

Solution

Remove the '-i' option.
If this option was not set, the rpc.ypupdated daemon is still vulnerable to the old flaw; contact your vendor for a patch.

Plugin Details

Severity: High

ID: 31683

File Name: ypupdated_remote_exec.nasl

Version: 1.16

Type: remote

Family: RPC

Published: 2008/03/28

Modified: 2018/08/07

Dependencies: 10223, 11111

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 1994/12/12

Exploitable With

Metasploit (Solaris ypupdated Command Execution)

Reference Information

CVE: CVE-1999-0208

BID: 1749, 28383