Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: pcnfsd ...

From: markz () REPSEC COM (Mark Zielinski)
Date: Wed, 14 Oct 1998 14:49:04 -0700

On Tue, 13 Oct 1998, ga wrote:

...


I didn't succeed to use the ps630() hole explained in rep sec advisory
(same as pr_cancel() phf-like bug). It's because pcnfsd_print.c checks
if the file really exists (and then tries to rename it with the .spl
extension). Therefore, if the file doesn't exist then an error is
returned. However, if a local user creates a filename in the
/var/spool/pcnfs directory which is in fact the command to execute (ex :
/var/spool/pcnfs/FILENAME\nwhoami\nBLAH) then ps630() will work indeed,
executing the command as root). I didn't tried it though.


...

FYI,

The way to remotely exploit the ps630 function is by tricking pcnfsd
into detecting a file, which will then allow you to get to the vulnerable
code.

You can do this by sending a '.', which will be there.

Mark Zielinski

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQCNAzYUCT4AAAEEAMK5biZZdHzLxbLRW6Zox9z+8xNdFLxIn7JbHrt3CyavHWa/
QlnR4t5BjpLrBuGiBehvcwJ1MubQcxdJos4pfI3x2Rsp0Z65BblYGSLVCdAJZNiv
IYi1feG0cdkUj5LAMzZMmg2IbOzDxmIVGl9s4kGeEqF+A2LlIC/EfQLrMLJNAAUR
tA5NYXJrIFppZWxpbnNraQ==
=HhSk
-----END PGP PUBLIC KEY BLOCK-----
Previous By Date Next
Previous By Thread Next

Current thread: