NIS password file access
Summary
NIS password file access by arbitrary hosts.
Impact
Allows automated password guessing attacks.
Background
The NIS (Network Information Service) implements network-wide access to
administrative information. Examples of databases (also called NIS maps)
that are shared via NIS:
- the password file that describes what users have access to the system,
- the table with names and addresses of hosts on the network,
- electronic mail aliases.
NIS databases are organized in domains. One NIS server can serve
multiple NIS domains. In order to perform a query, a client sends a
request to a NIS server and specifies
- a NIS domain name,
- the name of the database (NIS map) to be searched,
- a search key.
The problem
Many NIS implementations provide no access control. Every host that
asks for information will receive a reply. In order to perform a query,
one needs to know the server's NIS domain name. Often, this name is
easy to guess, or it can be obtained via the bootparam
network service.
When the local network is accessible from other networks, a remote
intruder can collect password file information and run a password
guessing program. Many people (including
Dan Klein) have demonstrated that people tend to choose passwords that
are easy to guess.
Fix
- Several vendors have added access control to their ypserv
implementation. Check your system documentation or vendor patch
list. The control file is sometimes called securenets.
Workarounds
Other tips
- Consider blocking ports 111 (portmap) on your network gateway.
This makes attacks on NIS and NFS mount daemons much harder.
- Enforce a policy for choosing passwords by installing an
alternative passwd command, for example
anlpasswd.
- See the
Admin
Guide to Cracking for an example of why this is a problem.