ISS X-Force Database: ypbind-printf-format-string(5394): ypbind printf() format string

ypbind printf() format string

ypbind-printf-format-string (5394)

High Risk

Description:

The ypbind daemon in many Linux distributions is vulnerable to a format string attack. The ypbind daemon is used to request information from a Network Information Service (NIS) server. By sending a specially-crafted request to ypbind, a remote attacker can overwrite memory on the stack and execute arbitrary code to gain root access to the system.

Consequences:

Gain Access

Remedy:

For SuSE Linux 7.0:
Upgrade to the latest version of ypbind (3.5-89 or later), as listed in SuSE Security Announcement #042. See References.

For SuSE Linux 6.2 through 6.4:
Upgrade to the latest version of ypbind (3.4-95 or later), as listed in SuSE Security Announcement #042. See References.

For Red Hat Linux 5.x:
Upgrade to the latest version of ypbind (3.3-10 or later), as listed in RHSA-2000:086-05. See References.

For Red Hat Linux 6.x:
Upgrade to the latest version of ypbind (1.7-0.6 or later), as listed in RHSA-2000:086-05. See References.

For Debian GNU/Linux 2.1 (alias slink):
Upgrade to the latest version of nis (3.5.2-1 or later), as listed in Debian Security Advisory 20001014. See References.

For Trustix Secure Linux 1.0x and 1.1:
Upgrade to the latest version of ypbind (3.3-29 or later), as listed in Trustix Security Advisory - ping gnupg ypbind. See References.

For Caldera OpenLinux 2.3 and 2.4:
Install the upgrade packages as listed in Caldera Systems, Inc. Security Advisory CSSA-2000-039.0. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

BugTraq Mailing List, Mon Oct 30 2000 - 08:43:28 CST: Trustix Security Advisory - ping gnupg ypbind.
BugTraq Mailing List, Wed Oct 25 2000 - 03:16:06 CDT: Immunix OS Security Update for ypbind package.
Caldera International, Inc. Security Advisory CSSA-2000-039.0: security problems in ypbind.
CIAC Information Bulletin L-009: Red Hat Linux "ypbind" Vulnerability.
Debian Security Advisory 20001014: nis: local exploit.
Linux-Mandrake Security Update Advisory MDKSA-2000:064: ypbind and ypserv.
SuSE Security Announcement SuSE-SA:2000:042: ypbind/ypclient.
BID-1820: S.u.S.E. ypbind-mt Format String Vulnerability
BID-1824: Linux ypbind Local Format String Vulnerability
CVE-2000-1040: Format string vulnerability in logging function of ypbind 3.3, while running in debug mode, leaks file descriptors and allows an attacker to cause a denial of service.
CVE-2000-1044: Format string vulnerability in ypbind-mt in SuSE SuSE-6.2, and possibly other Linux operating systems, allows an attacker to gain root privileges.
RHSA-2000-086: ypbind for Red Hat Linux 5.x

Platforms Affected:

RedHat Linux 6.2
RedHat Linux
SUSE SuSE Linux

Reported:

Oct 18, 2000

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page