Bugtraq mailing list archives
Re: pcnfsd ...
From: markz () REPSEC COM (Mark Zielinski)
Date: Wed, 14 Oct 1998 14:49:04 -0700
On Tue, 13 Oct 1998, ga wrote: ...
I didn't succeed to use the ps630() hole explained in rep sec advisory (same as pr_cancel() phf-like bug). It's because pcnfsd_print.c checks if the file really exists (and then tries to rename it with the .spl extension). Therefore, if the file doesn't exist then an error is returned. However, if a local user creates a filename in the /var/spool/pcnfs directory which is in fact the command to execute (ex : /var/spool/pcnfs/FILENAME\nwhoami\nBLAH) then ps630() will work indeed, executing the command as root). I didn't tried it though.
... FYI, The way to remotely exploit the ps630 function is by tricking pcnfsd into detecting a file, which will then allow you to get to the vulnerable code. You can do this by sending a '.', which will be there. Mark Zielinski -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzYUCT4AAAEEAMK5biZZdHzLxbLRW6Zox9z+8xNdFLxIn7JbHrt3CyavHWa/ QlnR4t5BjpLrBuGiBehvcwJ1MubQcxdJos4pfI3x2Rsp0Z65BblYGSLVCdAJZNiv IYi1feG0cdkUj5LAMzZMmg2IbOzDxmIVGl9s4kGeEqF+A2LlIC/EfQLrMLJNAAUR tA5NYXJrIFppZWxpbnNraQ== =HhSk -----END PGP PUBLIC KEY BLOCK-----
Current thread:
- MacAttack, (continued)
- MacAttack Spikeman (Oct 08)
- Referer (was Patches for wwwboard.pl) Lincoln Stein (Oct 09)
- Re: Referer (was Patches for wwwboard.pl) David Schwartz (Oct 12)
- Re: Referer (was Patches for wwwboard.pl) Lincoln Stein (Oct 13)
- Re: Referer (was Patches for wwwboard.pl) Kevin Littlejohn (Oct 13)
- CERT Vendor-Initiated Bulletin VB-98.10 - sco.mscreen Aleph One (Oct 13)
- FreeBSD Security Advisory: FreeBSD-SA-98:07.rst Aleph One (Oct 13)
- Re: Referer (was Patches for wwwboard.pl) Adam Shostack (Oct 10)
- Followup to FP98 and other Frontpage bugs pedward () WEBCOM COM (Oct 12)
- pcnfsd ... ga (Oct 13)
- Re: pcnfsd ... Mark Zielinski (Oct 14)
- Re: Followup to FP98 and other Frontpage bugs Markus Stumpf (Oct 13)
- The poisoned NUL byte Olaf Kirch (Oct 14)
- Security Bulletins Digest (fwd) Piotr Strzy¿ewski (Oct 12)