[OpenAFS] Distributing passwd

[Charles Clancy]

On Wed, 11 Jun 2003, Stephen Joyce wrote:

> NIS is notorious (infamous?) for being insecure.  True, many of the
> vulnerabilities seem to have been fixed, and many were related to the
> ability to obtain dumps of the entire database for cracking... but not all
> if I recall.  I seem to remember one that made it (almost) trivial to
> compromise a client by impersonating the nis master, and more than a couple
> of documented DOS vulnerabilities against the nis server process
> (Diclaimer: I haven't used NIS in awhile, so if this is no longer true,
> apologies to the NIS advocates).

There are a few attacks.

1. dumping the passwd table (active)
   typically, NIS servers will respond to any request from anywhere to
   dump their tables -- list of valid usernames / encrypted passwords

2. sniffing (passive)
   user on the subnet can sniff NIS queries that potentially contain
   encrypted password information

3. man in the middle attacks
   DOS the NIS server, while sending spoofed replies (it's UDP, easy
   to spoof); server waits for joeuser to log in, and automatically
   spoofs passwd entry "joeuser::0:0::/:/bin/sh"

Disabling passwordless login can hinder #3, but the attacker can just
substitute the hash of a known password there.  #2 isn't worth worrying
about.  #1 can be solved using ipchains, ipf, or whatever to block access
from subnets that shouldn't have access.

So, this is getting a bit off-topic.  For those interested, I wrote an
article a while back on NIS security, that I plan to someday expand into a
Phrack article one day when I have time (i.e. never):

	http://www.uiuc.edu/~tclancy/nis/article.txt

And even a set of tools to exploit all three of the vunerabilities above:

	http://www.uiuc.edu/~tclancy/nis/nistoolkit-0.1.tar.gz

In spite of all that, it's not really any more secure than LDAP.  You'd
need some sort of authenticated NSS, like NIS+.

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]