NIS password file access
NIS password file access by arbitrary hosts.
Allows automated password guessing attacks.
The NIS (Network Information Service) implements network-wide access to
administrative information. Examples of databases (also called NIS maps)
that are shared via NIS:
NIS databases are organized in domains. One NIS server can serve
multiple NIS domains. In order to perform a query, a client sends a
request to a NIS server and specifies
- the password file that describes what users have access to the system,
- the table with names and addresses of hosts on the network,
- electronic mail aliases.
- a NIS domain name,
- the name of the database (NIS map) to be searched,
- a search key.
Many NIS implementations provide no access control. Every host that
asks for information will receive a reply. In order to perform a query,
one needs to know the server's NIS domain name. Often, this name is
easy to guess, or it can be obtained via the bootparam
When the local network is accessible from other networks, a remote
intruder can collect password file information and run a password
guessing program. Many people (including
Dan Klein) have demonstrated that people tend to choose passwords that
are easy to guess.
- Several vendors have added access control to their ypserv
implementation. Check your system documentation or vendor patch
list. The control file is sometimes called securenets.
- Consider blocking ports 111 (portmap) on your network gateway.
This makes attacks on NIS and NFS mount daemons much harder.
- Enforce a policy for choosing passwords by installing an
alternative passwd command, for example
- See the
Guide to Cracking for an example of why this is a problem.