[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [Information Disclosure] NetForce v4.02 Sends NIS Password Maps
From: bambenek () gmail ! com
Date: 2005-10-01 1:41:33
Message-ID: 20051001014133.11786.qmail () securityfocus ! com
[Download RAW message or body]
Vendor: Procom Technology, Inc.
Product: NetFORCE 800, v 4.02 M10 (Build 20)
Other Versions Vulnerable: unknown, vendor’s website sucks so I can’t tell
Vulnerability type: Information disclosure
Severity: Medium
* Software Information
--------------------
Model : NetFORCE 800
Version : 4.02 M10 (Build 20)
Vendor : Procom Technology, Inc.
Description:
NetFORCE’s operating system on the NAS includes the ability to send a diagnostic \
e-mail with a wealth of information to the technician to be able to diagnose problems \
without providing direct remote access. This diagnostic email includes output from \
various programs, statistical reports, and several file attachments.
One of these file attachments (passwd.nis) includes the NIS password map of any \
domain it is bound to, happily sending the entire domains fscking password hashes in \
the clear across the Internet over sendmail. This doesn’t impact you if you don’t \
use NIS as the other files that include user information “blank” out the password \
information.
NetFORCE sold its intellectual property to Sun and Sun uses the same systems to base \
their NAS solution off of. Because the NetFORCE website no longer has software \
versioning information, it is not possible to test on other versions or determine \
which versions are or are not vulnerable.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic