{"vuid":"VU#538033","idnumber":"538033","name":"ypxfrd daemon fails to properly validate user supplied arguments in \"getdbm\" procedure","keywords":["ypxfrd daemon","user supplied arguments","getdbm procedure","local file reading"],"overview":"A vulnerability in the ypxfrd daemon may allow a local attacker to read arbitrary files on the vulnerable system.","clean_desc":"Janusz Niewiadomski, of iSEC, discovered this vulnerability and produced the following advisory. Issue: Improper arguments validation in ypxfrd may allow local attacker to read any file on the system. Description: ypxfrd daemon is used for speed up the distribution of large NIS maps from NIS master to NIS slave servers. Details: When getdbm procedure is called, ypxfrd daemon creates a path to the /var/yp/domain/map file (where domain and map are arguments provided in the request). Unfortunately it fails to check if both arguments contains slash or dot characters, thus making databases outside /var/yp directory accessible. A symlink done can override .pag / .dir file extension limitation, allowing local attacker to read any file on the system. Impact: When ypxfrd is configured and running, local attacker is able to read any file on the system. It is also possible to remotely read database outside /var/yp directory, depending on the securenets configuration.","impact":"A local attacker my be able to read any file on the vulnerable system. This may lead to privilege escalation.","resolution":"Apply a patch.","workarounds":"","sysaffected":"","thanks":"Thanks to Janusz Niewiadomski for reporting this vulnerability. We also thank Sun Microsystems for their assistance.","author":"This document was written by Ian A Finlay.","public":["http://isec.pl/vulnerabilities/0006.txt","http://isec.pl/"],"cveids":["CVE-2002-1199"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2002-08-28T18:47:21Z","publicdate":"2002-10-09T00:00:00Z","datefirstpublished":"2002-10-10T17:46:16Z","dateupdated":"2003-04-09T19:31:39Z","revision":7,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"10","cam_impact":"10","cam_easeofexploitation":"12","cam_attackeraccessrequired":"10","cam_scorecurrent":"4.5","cam_scorecurrentwidelyknown":"5.625","cam_scorecurrentwidelyknownexploited":"10.125","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":4.5,"vulnote":null}