NIS/YP hole (again)

jack0 (jack0@CORINNE.MAC.EDU)
Wed, 19 Feb 1997 16:49:26 -0600

*YP/NIS/NIS+/forced-password-change security hole.*

Affected Sites:
Systems running Passwd+ or NPasswd and possibly other similar programs.
These are programs that have been developed to enable system
administrators to force users to change their passwords at set intervals
and check the passwords to make sure they use alphanumeric sequences as
opposed to common dictionary names. Although a step in the right
direction, these packages are not as secure as they seem.

Problem:
The problem lies in the program itself. To really asses blame, one can say
it is sloppy programming that causes this problem.  It is useful to force
a user to change their password every so often. However, the sequence of
events that is defaulted to by some incarnations of YP/NIS is really
horrendus. Watch:

UNIX(r) System V Release 4.0 (good religous site)

login: priest
Sorry Passwd has expired
Change:

Instead of having the user enter their OLD password, the YP/NIS program is
asking for the user to enter the new password without verifying that it is
actually the authorized user that is logging in. There is no other excuse
for this except for "pretty dumb". This is not something new-- just a
subject that has yet to be explained.

[Concept by: Jack Of Snot, jack0@corinne.mac.edu]
[Edited by: Jonathan Katz, jkatz@corinne.mac.edu]