GEN:SID 1:2088
Message RPC ypupdated arbitrary command attempt UDP
Summary vulnerability in the rcp service ypupdated.
Impact Information disclosure and possible code execution.

Unauthorized super user access to the vulnerable host resulting in a
compromise of all data on the host and any network resources that host
is connected to. Full control of the victim is gained.
Detailed Information The ypupdated service is used in conjunction with NIS servers to
remotely update changes made in NIS databases.

On recieving a request the yupdated service executes a make command
using the Bourne shell. It is possible to execute code using
metacharacters in the request.

Commands and code after the metacharacters in the request will be
executed with the privileges of the super user on the vulnerable system.
Affected Systems HP-UX 10.1, 10.10 and 10.20
    
    IBM AIX 3.2 and 4.1
    
    NEC EWS-UX/V (Rel4.2MP), (Rel4.2)
    NEC UP-UX/V (Rel4.2MP)
    NEC UX/4800 (64)
    
    SGI IRIX 3.2, 3.3, 3.3.1, 3.3.2, 3.3.3
    SGI IRIX 4.0, 4.0.1 T, 4.0.1,4.0.2, 4.0.3, 4.0.4 T, 4.0.4 B, 4.0.4, 4.0.5 IPR, 4.0.5 H, 4.0.5 G, 4.0.5 F, 4.0.5 E, 4.0.5 D, 4.0.5 A, 4.0.5 (IOP), 4.0.5
    SGI IRIX 5.0, 5.0.1, 5.1, 5.1.1, 5.2, 5.3 XFS, 5.3
    SGI IRIX 6.0, 6.0.1 XFS, 6.0.1
    
    Sun SunOS 4.1 PSR_A, 4.1, 4.1.1, 4.1.2, 4.1.3 c, 4.1.3 _U1, 4.1.3, 4.1.4 -JL, 4.1.4
Attack Scenarios The attacker needs to craft a specially formulated request to the
rpc.ypupdated service containing a long username. An exploit for this
vulnerability exists.
Ease of Attack Simple
Corrective Action Apply pacthes for the affected systems as soon as possible.

Disable the rpc.ypupdated daemon.

Disallow all RPC requests from external sources and use a firewall to
block access to RPC ports from outside the LAN.
Additional References Bugtraq:
http://www.securityfocus.com/bid/1749