Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rhino9 security advisory - rpc.pcnfsd

From: oliver () secnet com (Oliver Friedrichs)
Date: Wed, 19 Aug 1998 17:37:21 -0600

On Wed, 19 Aug 1998, John McDonald wrote:


        As pointed out in the Repsec advisory, the suspicious() function
does not check for several shell meta-characters, which allows the
newline, and on some operating systems, the '/' character to be passed.
This allows for the exploitation of the run_ps630 system() call, as
documented in the advisory. However, this oversight in the suspicious()
function also allows for an attacker to manipulate the pr_cancel()
function to gain access to the machine. Specifically, an attacker will
have to invoke pr_cancel with a valid printer name, a valid user name,
and a printer id containing the crafted exploit string. The printer id
will be passed through the suspicious() function, and then run through a
shell in the su_popen() function. As far as obtaining a valid printer id,
some implementations unilaterally accept "lp" as a valid printer, but
this is not a concern because the attack can request a list of the valid
printers with the pr_list RPC call. As the third vulnerability addresses,
it is easy for an attacker to get a list of valid usernames out of
rpc.pcnfsd.


I should mention that both the RepSec and Rhino advisories document bugs
which were found and documented 2 years ago.

The su_popen vulnerability appears to be fixed in the pcnfsd availible on
cert.org, which does not filter out specific bad characters, but rather
only allows safe characters through:

!       static char ok_chars[] =
!"1234567890@%-_=+:,.abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";

Both the vulnerable chmod and the su_popen functions were documented in
the CA-96.08.pcnfsd.

The mkdir bug is somewhat different, however, only because the previous
fix wasn't sufficient enough to prevent it.  The result is the same, the
ability to change arbitrary permissions to 777.  Unfortunately whoever
fixed this originally, didnt see far enough into it.

Now nobody has even touched on the heaps of buffer overflows in pcnfsd.
Hopefully most strings are passed through the above version of
suspicious(), therefore limiting the number of instructions that someone
could execute.. but some instructions can be executed with printable
characters.

- Oliver

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   Network Associates, Inc.                                 (408) 346-3304
Previous By Date Next
Previous By Thread Next

Current thread: