Ypghost effectively adds false (ghost) entries to NIS maps.  It does
this by  watching the local network for UDP packets that are calls to
the YPPROC_MATCH function of the  RPC  program  YPPROG, and then sends
out false replies.

Ypghost performs NIS spoofing as described in a paper on NIS security
written by D.K.Hess, D.R.Safford and U.W.Pooch.

The most obvious implication is that false entries can be added to
the NIS maps passwd.byname, passwd.byuid, passwd.adjunct.byname thus
allowing possibly unauthorised root access.

The impact of such a weakness is vastly weakened by the fact that
an unauthorised person must be able to listen for, and send packets,
on the communication path between the NIS client and the NIS server.
In practice this means that ypghost must be run as root on a machine
on the same local network, so in some ways it certainly isn't the best
hacker's tool ever written.  Despite this its still fairly neat since
lots of people seem to talk about spoofing, but you don't often see
it done in practice.

It does however rely on the spoofed response reaching the client
before the real one, but in practice I don't see this as a
significant problem.

Ypghost currently has the limitation that it only supports ethernet
type interfaces, IP version 4 (with no fragmentation or options),
RPC version 2 (with  AUTH_NULL),  YPPROG version  2,  and  assuming
the -p option is not specified, PMAP_PROG version 2.  I expect the
majority of systems to comply with all these conditions though.

Ypghost has been written to be fairly portable, using the 'libpcap'
portable packet capturing library to receive packets, and raw sockets
to transmit packets.  Unfortunately old kernels don't allow you to
set the source address, so it won't work with SunOS 4.1 kernels or
standard current linux kernels (I expect linux will be fixed very
soon however).

Ypghost is known to work on:

	SunOS 5.4 (solaris)
	Linux 1.3 (details of how to modify kernel supplied).

I also expect it to work on:

	BSD4.4lite based systems such as FreeBSD, NetBSD, BSDi etc.

(I'll test it on BSD *very* soon, I just can't be bothered to reboot
my (normally linux) machine into BSD and start messing about).

I couldn't comment about other versions of unix, but anything with
libpcap, an ANSI compiler, and a *decent* implementation of raw
sockets should work.

Note that ypghost needs the libpcap library.  The standard version
works fine on SunOS (and many other platforms) and there is also
a patched version for linux available (which isn't incorporated into
the standard release I think because work on libpcap seems to have
stopped at version 0.0.6 !).  FreeBSD (at least) seems to come with
libpcap as standard.  I'll probably put both libpcap and libpcap for
linux on my page, or at least details where to get them from.


Arny - cs6171@scitsc.wlv.ac.uk

			http://www.scit.wlv.ac.uk/~cs6171/hack/index.html

