COMMAND

	ypxfrd may allow local attacker to read any file on the system.

SYSTEMS AFFECTED

	The following systems are identified as affected by this vulnerability:
	

	 Sun Microsystems Solaris

	 SCO OpenServer

	 Caldera OpenLinux

PROBLEM

	Janusz Niewiadomski of iSEC Security Research [http://isec.pl/] found :
	

	ypxfrd daemon is used for speed up the distribution of  large  NIS  maps
	from NIS master to NIS slave servers.
	

	 Details:

	 ========

	

	When getdbm procedure is called, ypxfrd daemon creates  a  path  to  the
	/var/yp/domain/map file (where domain and map are arguments provided  in
	the  request).  Unfortunately  it  fails  to  check  if  both  arguments
	contains slash or dot characters, thus making databases outside  /var/yp
	directory accessible. A symlink done  can  override  .pag  /  .dir  file
	extension limitation, allowing local attacker to read any  file  on  the
	system.
	

	--snipp--
	

	 Impact:

	 =======

	

	When ypxfrd is configured and running, local attacker is  able  to  read
	any file on the system. As ypxfrd is typically run  as  root,  this  may
	lead to privilege escalation. It is also possible to remotely  read  DBM
	files  outside  /var/yp   directory,   depending   on   the   securenets
	configuration.

SOLUTION

	Please refer to CERT VU#538033 for more information