Bugtraq mailing list archives
RSI.0008.08-18-98.ALL.RPC_PCNFSD
From: advise () enigma repsec com (RSI Advise)
Date: Tue, 18 Aug 1998 17:13:27 -0700
RSI.0008.08-18-98.ALL.RPC_PCNFSD
|:::. |::::: |::::. |::::: |::::: |::::.
.. :: .. .. :: .. .. .. ::
|:::: |:::: |:::: :::::: |::::: |:::: |:
|: :: |: |: |:: |: |: ::
|: :: |::::: |: |::::: |::::: |:::::
Repent Security Incorporated, RSI
[ http://www.repsec.com ]
*** RSI ALERT ADVISORY ***
--- [CREDIT] --------------------------------------------------------------
'Bermuda Brian': Research and development
Mark Zielinski : Author of advisory
--- [SUMMARY] -------------------------------------------------------------
Announced: July 14, 1998
Report code: RSI.0008.08-18-98.ALL.RPC_PCNFSD
Report title: All rpc.pcnfsd
Vulnerability: Please see the details section
Vendor status: IBM contacted on August 3, 1998
Hewlett Packard contacted on August 3, 1998
Sun Microsystems contacted on August 3, 1998
Slackware contacted on August 3, 1998
Patch status: Linux and AIX patch information is provided below
Platforms: Vulnerable:
AIX: 4.0, 4.1, 4.2, 4.3
HP-UX: 7.x, 8.x, 9.x, 10.x, 11.x
SunOS: 4.1.3, 4.1.4
Solaris: 2.3, 2.4, 2.5, 2.5.1, 2.6
Redhat Linux: 4.0, 4.1, 4.2, 5.0, 5.1
Slackware Linux: 3.0, 3.1, 3.2, 3.3, 3.4, 3.5
OSF: 3.2
Not vulnerable:
OpenBSD, FreeBSD, NetBSD, BSDI
Reference: http://www.repsec.com/advisories.html
Impact: If exploited, an attacker could potentially compromise
root access both locally and remotely on your server
--- [DETAILS] -------------------------------------------------------------
Description: PCNFSD is a Remote Procedure Call used by NFS clients.
This service provides username and password authentication
for networked computers which have installed NFS client
software.
Problem: Two vulnerabilities are covered in this advisory which
both allow root access to be compromised.
Vulnerable functions:
~~~~~~~~~~~~~~~~~~~~~
A. pr_init () : This function will create a spool
directory for a client. When
passing data to this function, it
calls secure () attempting to find
any insecure characters.
The list of characters that suspicious ()
checks for are: ";|&<>`'!?*()[]^/".
By sending a "." as the printer name,
rpc.pcnfsd will attempt to make that
directory and set the mode to 777.
By doing this, an attacker sets the
main spool directory used by rpc.pcnfsd
to world writeable.
To exploit this, an attacker could
locally set a symbolic link from
/var/spool/pcnfsd/printername to
any other file on the system.
Calling pr_init () with the name
of the symbolically linked file will
force rpc.pcnfsd to follow the symlink
and change the destination file to mode
777.
B. run_ps630 () : Upon system bootup, rpc.pcnfsd is
started from the system rc files
which are executed from the / directory.
Because of this, rpc.pcnfsd will
attempt to function out of the root
directory (/).
When run_ps630 () is called,
it calls suspicious () to check
for any insecure characters.
The list of characters that secure ()
checks for are: ";|&<>`'!?*()[]^/".
If it detects that none of these
characters are being used, it will
call strcat () to append the data
to a buffer and then run the
data contained inside it with
system ().
By sending a \ncommand\n as the
printer, "." as the spool
directory, and setting your client
options to "d", arbitary commands
can be executed remotely on the
server as root.
* Note : AIX is not vulnerable to problem A,
and HP is only vulnerable to function
A in HP-UX 9.0, 10.0.
--- [FIX] -----------------------------------------------------------------
Solution: Disable rpc.pcnfsd until an appropriate patch is
released for your operating system.
--- [AIX PATCH] -----------------------------------------------------------
AIX users: IBM has provided the following patches in
reponse to this vulnerability:
APAR 4.1.x: IX81505
APAR 4.2.x: IX81506
APAR 4.3.x: IX81507
Until the official APARs are available, a temporary
fix can be downloaded via anonymous ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/pcnfsd.tar.Z
--- [LINUX PATCH] ---------------------------------------------------------
Solution: Working in conjunction with Patrick Volkerding and the
Slackware Linux development staff, RSI has produced the
following patches:
ftp://ftp.repsec.com/pub/repsec/0008.patch1
WARNING! The code quoted below is only fragments of each
patch! You must download each patch for it to work correctly.
0008.patch1 replaces the character set that is considered
suspicious and replaces it with a list of characters that
are allowed. The following two lines show the change:
[snip...]
- if(strpbrk(s, ";|&<>`'#!?*()[]^/") != NULL)
[snip...]
+ if (strspn(s, "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_=:+1234567890@%,.")
[snip...]
---
ftp://ftp.repsec.com/pub/repsec/0008.patch2
0008.patch2 replaces the vulnerable code by removing the
chmod call, and utilizing umask. The following code fragments
have been stripped out of the patch to show the vulnerable
pieces of code and the relevant fix.
[snip...]
+ oldumask = umask(0);
+ (void)sprintf(pathname,"%s/%s",sp_name, sys);
+ (void)mkdir(sp_name, dir_mode); /* ignore the return code */
+ rc = mkdir(pathname, dir_mode); /* DON'T ignore this return code */
+ umask(oldumask);
[snip...]
- (void)chmod(sp_name, dir_mode);
if((rc < 0 && errno != EEXIST) ||
- (chmod(pathname, dir_mode) != 0) ||
(stat(pathname, &statbuf) != 0) ||
!(statbuf.st_mode & S_IFDIR)) {
(void)sprintf(tempstr,
--- [OTHER PATCHES] -------------------------------------------------------
SunOS, Solaris, HPUX, and OSF users should wait
for their respective vendor to provide a patch.
---------------------------------------------------------------------------
Repent Security Incorporated (RSI)
13610 N. Scottsdale Rd.
Suite #10-326
Scottsdale, AZ 85254
E-Mail: advise () repsec com
FTP: ftp://ftp.repsec.com
WWW: http://www.repsec.com
---------------------------------------------------------------------------
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQCNAzU6dqAAAAEEAOHt9a5vevjD8ZjsEmncEbFp2U7aeqvPTcF/8FJMilgOVp75
dshXvZixHsYU7flgCNzA7wLIQPWBQBrweLG6dx9gE9e5Ca6yAJxZg8wNsi06tZfP
nvmvf6F/7xoWS5Ei4k3YKuzscxlyePNNKws6uUe2ZmwVoB+i3HHT44dOafMhAAUT
tBpSZXBTZWMgPGFkdmlzZUByZXBzZWMuY29tPg==
=ro8H
-----END PGP PUBLIC KEY BLOCK-----
Copyright August 1998 RepSec, Inc.
The information in this document is provided as a service to customers
of RepSec, Inc. Neither RepSec, Inc., nor any of it's employees, makes
any warranty, express or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, apparatus, product, or process contained herein, or
represents that its use would not infringe any privately owned rights.
Reference herein to any specific commercial products, process, or
services by trade name, trademark, manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation or
favoring by RepSec, Inc. The views and opinions of authors express
herein do no necessarily state or reflect those of RepSec, Inc., and may
not be used for advertising or product endorsement purposes.
RSI Member Alert Advisories are expressly prohibited from release of any
and all information contained in this advisory, in any and all forms
into the public domain by RepSec Members, their personnel, or other
related or affiliated personnel, to other advisory groups and/or other
security incident response teams (both commercial and non-commercial) -
during the period RSI Member Alert Advisories are released to RSI
Member's only. The material in this advisory alert may be reproduced
and distributed, without permission, only after it has been released by
RepSec, Inc. into the public domain. After release by RepSec, Inc. into
the public domain the material in this RSI Member Alert Advisory may be
reproduced and distributed, without permission in its entirety only,
provided the copyright is kept intact and due credit is given to RepSec,
Inc.
Subject to the timing of release restrictions above, this RSI Advisory
Alert may be reproduced and distributed, without permission, in its
entirety only, by any person provided such reproduction and/or
distribution is performed for non-commercial purposes and with the
intent of increasing the awareness of the Internet community.
---------------------------------------------------------------------------
RepSec, Inc. are trademarks of RepSec, Inc. All other trademarks are
property of their respective holders.
Mark Zielinski
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQCNAzWmhPkAAAEEAKKFxAIWa6E/ey+3MU8EbeU8pBNXHJOu58weDb7LMHS/QbTF
+kvZAWPz+BCMIBBnUn00N8WHm6wqFWG37f5IAzuXm1jy1WX8goCSSW/mpoFZUxxI
avKfOc+NHAaeg6uRssIYZhvqlgQkb62JOQivHa/G8UgLdnBfnarRFJ9FQ825AAUR
tA5NYXJrIFppZWxpbnNraQ==
=B9D6
-----END PGP PUBLIC KEY BLOCK-----
Current thread:
- RSI.0008.08-18-98.ALL.RPC_PCNFSD RSI Advise (Aug 18)
- Microsoft Security Bulletin (MS98-011) (fwd) brian j. peterson (Aug 18)
- Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD Scott Stone (Aug 19)
- Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD Casper Dik (Aug 19)
- <Possible follow-ups>
- Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD Brian Martin (Aug 19)
- Serious bug in Cisco PIX Robert Ståhlbrand (Aug 19)
- Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD Alan Cox (Aug 19)
- Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD Joseph E. Vornehm Jr. (Aug 19)
- Security Bulletins Digest (fwd) Piotr Strzy¿ewski (Aug 19)
- Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD Volker Borchert (Aug 19)