Re: Security impact of nscd and NSS module bugs (particularly NIS)

[Florian Weimer <fweimer at redhat dot com>]

On 07/03/2014 08:45 PM, Russ Allbery wrote:
> Florian Weimer <fweimer@redhat.com> writes:
>
> > The other difficulty in this area is NIS.  If we have a buffer overflow
> > in processing data from NIS, is this a security bug?  As far as I can
> > tell, NIS is mostly used for accounts, so a malicious server could just
> > serve an account with UID=0, so it's not obvious me that a trust
> > boundary is crossed (which is required for a security vulnerability).
>
> Using NIS at all these days is basically a security vulnerability.

I won't argue about that…

> That said, I do think a trust boundary has been crossed here.  Yes, NIS
> can return an account with UID=0, but there may be other controls in place
> locally to prevent someone from actually accessing that account (consider,
> for instance, PAM modules that require certain authentication protocols
> when accessing any account with UID=0 regardless of username).  A buffer
> overflow in NIS data processing potentially allows an attacker to
> compromise the system without having to authenticate to it in any way,
> which is more than changing the UID of NIS returns allows, unless I'm
> missing something.

Yes, there is some potential for privilege escalation if the attacker 
does not already have interactive access to the system (or write access 
to the file system).  The tricks you can play with changing login shells 
and home directories are somewhat limited.

I'm still not quite sure if this corner case is sufficient to worry 
about.  Unlike the nscd denial-of-service crashers, we are only talking 
about a short list of bugs here, so the impact from going with security+ 
on this one is pretty limited.

--
Florian Weimer / Red Hat Product Security