Ypghost  effectively adds false (ghost) entries to NIS maps.   It
does this by watching the local network for UDP packets that  are
calls  to  the YPPROC_MATCH function of the RPC  program  YPPROG,
and then sends out false replies.  

Ypghost  performs  NIS spoofing as described in a  paper  on  NIS
security written by D.K.Hess, D.R.Safford and U.W.Pooch.  

The  most obvious implication is that false entries can be  added
to the NIS maps passwd.byname, passwd.byuid, passwd.adjunct.byname
thus allowing possibly unauthorised root access. 

The  impact  of such a weakness is vastly weakened  by  the  fact
that  an unauthorised person (virtually) must be able  to  listen
for, and send packets, on the communication path between the  NIS
client  and the NIS server. In practice this means  that  ypghost
must  be run as root on a machine on the same local  network,  so
in  some  ways  it certainly isn't the best  hacker's  tool  ever
written.   Despite  this  its still fairly  neat  since  lots  of
people  seem to talk about spoofing, but you don't often  see  it
done  in  practice.  It also underlines the point  that  although
NIS has lots of valid uses on most networks, it is perhaps not  a
good  idea  to  use  it  if  security  *really*  is  of  absolute
paramount importance. 

Ypghost  relies  on  the spoofed  response  reaching  the  client
before  the  real  one, but in practice I don't  see  this  as  a
significant  problem,  particularly  since I've  added  an  extra
command  line option in version 0.6 which  dramatically  improves
performance on some platforms. 

Ypghost  currently  has  the limitation  that  it  only  supports
ethernet type interfaces, IP version 4 (with no fragmentation  or
options), UDP, RPC version 2 (with AUTH_NULL), YPPROG version  2,
and  assuming the -p option is not specified,  PMAP_PROG  version
2.   I  expect the majority of systems to comply with  all  these
conditions though. 

Ypghost  has  been  written  to be  fairly  portable,  using  the
'libpcap'  portable packet capturing library to receive  packets,
and  raw sockets to transmit packets.  Unfortunately old  kernels
don't allow you to set the source address, so it won't work  with
SunOS  4.1 kernels and most unmodified linux kernels  (I  believe
the very latest 1.3.x linux kernels have now been fixed). 

Ypghost is known to work on:

	SunOS 5.4 (solaris)
	Linux 1.2.13 & 1.3.14 (details of how to modify old linux
				kernels such as these are supplied).

It  also  compiles  and runs fine on FreeBSD 2.1.0,  although  I
haven't yet been able to test whether it does definitely work.  

I  couldn't  comment about other versions of unix,  but  anything
with libpcap, an ANSI compiler, a *decent* implementation of  raw
sockets, and a ethernet interface that supports promiscuous  mode
should work.  

Version  0.6  of  ypghost now  includes a  short  program  called
ypdump that watches the local network and displays details  about
certain NIS traffic, mostly UDP YPPROC_MATCH calls and replies. 

Note that both ypghost and ypdump need the libpcap library.   The
standard  version works fine on SunOS (and many other  platforms)
and  there is also a patched version for linux  available  (which
isn't  incorporated  into the standard release  I  think  because
work  on  libpcap  seems  to have stopped at  version  0.0.6!  ). 
FreeBSD  (at least) seems to come with libpcap as standard.  Both
libpcap  and libpcap for linux should be on my page, or at  least
details of where to get them from.  


Arny - arny@geek.org.uk

			http://www.unix.geek.org.uk/~arny/  (U.K.)
			http://www.unix.geek.net/~arny/     (U.S.)

