ypbind printf() format string

ypbind-printf-format-string (5394)

High Risk

Description:

The ypbind daemon in many Linux distributions is vulnerable to a format string attack. The ypbind daemon is used to request information from a Network Information Service (NIS) server. By sending a specially-crafted request to ypbind, a remote attacker can overwrite memory on the stack and execute arbitrary code to gain root access to the system.

Platforms Affected:

• RedHat, Linux 6.2
• RedHat, Linux
• SuSE, SuSE Linux

Remedy:

For SuSE Linux 7.0:
Upgrade to the latest version of ypbind (3.5-89 or later), as listed in SuSE Security Announcement #042. See References.

For SuSE Linux 6.2 through 6.4:
Upgrade to the latest version of ypbind (3.4-95 or later), as listed in SuSE Security Announcement #042. See References.

For Red Hat Linux 5.x:
Upgrade to the latest version of ypbind (3.3-10 or later), as listed in RHSA-2000:086-05. See References.

For Red Hat Linux 6.x:
Upgrade to the latest version of ypbind (1.7-0.6 or later), as listed in RHSA-2000:086-05. See References.

For Debian GNU/Linux 2.1 (alias slink):
Upgrade to the latest version of nis (3.5.2-1 or later), as listed in Debian Security Advisory 20001014. See References.

For Trustix Secure Linux 1.0x and 1.1:
Upgrade to the latest version of ypbind (3.3-29 or later), as listed in Trustix Security Advisory - ping gnupg ypbind. See References.

For Caldera OpenLinux 2.3 and 2.4:
Install the upgrade packages as listed in Caldera Systems, Inc. Security Advisory CSSA-2000-039.0. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

• BugTraq Mailing List, Mon Oct 30 2000 - 08:43:28 CST, Trustix Security Advisory - ping gnupg ypbind at http://archives.neohapsis.com/archives/bugtraq/2000-10/0429.html.
• BugTraq Mailing List, Wed Oct 25 2000 - 03:16:06 CDT, Immunix OS Security Update for ypbind package at http://archives.neohapsis.com/archives/bugtraq/2000-10/0356.html.
• Caldera International, Inc. Security Advisory CSSA-2000-039.0, security problems in ypbind at ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2000-039.0.txt.
• CIAC Information Bulletin L-009, Red Hat Linux "ypbind" Vulnerability at http://www.ciac.org/ciac/bulletins/l-009.shtml.
• Debian Security Advisory 20001014, nis: local exploit at http://www.debian.org/security/2000/20001014.
• Linux-Mandrake Security Update Advisory MDKSA-2000:064, ypbind and ypserv at http://www.linux-mandrake.com/en/security/2000/MDKSA-2000-064.php3?dis=6.0.
• SuSE Security Announcement SuSE-SA:2000:042, ypbind/ypclient at http://www.suse.com/de/security/2000_042_nis_txt.html.
• BID-1820: S.u.S.E. ypbind-mt Format String Vulnerability
• BID-1824: Linux ypbind Local Format String Vulnerability
• CVE-2000-1040: Format string vulnerability in logging function of ypbind 3.3, while running in debug mode, leaks file descriptors and allows an attacker to cause a denial of service.
• CVE-2000-1044: Format string vulnerability in ypbind-mt in SuSE SuSE-6.2, and possibly other Linux operating systems, allows an attacker to gain root privileges.
• RHSA-2000-086: ypbind for Red Hat Linux 5.x

Reported:

Oct 18, 2000

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page