Multiple Vendor NIS rpc.ypupdated YP Map Update Arbitrary Remote Command Execution

high Nessus Plugin ID 31683

Synopsis

'ypupdated -i' is running on this port.

Description

ypupdated is part of NIS and allows a client to update NIS maps.

This old command execution vulnerability was discovered and fixed in 1995. However, it is still possible to run ypupdated in insecure mode by adding the '-i' option.
Anybody can easily run commands as root on this machine by specifying an invalid map name that starts with a pipe (|) character. Exploits have been publicly available since the first advisory.

Solution

Remove the '-i' option.
If this option was not set, the rpc.ypupdated daemon is still vulnerable to the old flaw; contact your vendor for a patch.

Plugin Details

Severity: High

ID: 31683

File Name: ypupdated_remote_exec.nasl

Version: 1.17

Type: remote

Family: RPC

Published: 3/28/2008

Updated: 6/12/2020

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 12/12/1994

Exploitable With

Metasploit (Solaris ypupdated Command Execution)

Reference Information

CVE: CVE-1999-0208

BID: 1749, 28383