
NIS
NIS (Network Information Service) contains data such as host files, password
files, and e-mail aliases for entire networks. It allows a remote user to obtain
copies of the NIS password map information. An intruder who possesses the NIS
domain name (often set up as a derivative of the public domain name) can steal
information helpful in guessing passwords and gaining unauthorized access. The
scanner attempts to find out if the password file is obtainable from NIS. If
the scanner can guess the domain name, it shows where the NIS server is.
Fix: The NIS domain name should be something hard to guess. If the scanner can
guess it, change the NIS domain name. Also, make sure that if the password file
does get out, the passwords are hard to guess. The crack utility and password
shadowing help correct this weakness, but NIS/YP (Yellow Pages) transfers include
encrypted passwords even if they are shadowed and unreadable on the server. The
intruder can decode them at leisure.
Advisories: CERT: CA-95:13,17
NIS Vulnerabilities:
SunOS Patch ID: 100482-XX at
NIS is running. NIS can be used by an intruder to grab the password file from
the machine.
Domain Name guessed. The domain name should be hard to guess. It can be used
with NIS to grab password files.
NIS password obtained via TCP.
NIS password obtained via UDP.