Multiple Vendor NIS rpc.ypupdated YP Map Update Arbitrary Remote Command Execution

High Nessus Plugin ID 31683

Synopsis

'ypupdated -i' is running on this port.

Description

ypupdated is part of NIS and allows a client to update NIS maps.

This old command execution vulnerability was discovered and fixed in 1995. However, it is still possible to run ypupdated in insecure mode by adding the '-i' option.
Anybody can easily run commands as root on this machine by specifying an invalid map name that starts with a pipe (|) character. Exploits have been publicly available since the first advisory.

Solution

Remove the '-i' option.
If this option was not set, the rpc.ypupdated daemon is still vulnerable to the old flaw; contact your vendor for a patch.

Plugin Details

Severity: High

ID: 31683

File Name: ypupdated_remote_exec.nasl

Version: $Revision: 1.15 $

Type: remote

Family: RPC

Published: 2008/03/28

Modified: 2011/10/14

Dependencies: 10223, 11111

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 1994/12/12

Reference Information

CVE: CVE-1999-0208

BID: 1749, 28383

OSVDB: 11517