Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD

[casper () HOLLAND SUN COM (Casper Dik)]

> On Tue, 18 Aug 1998, RSI Advise wrote:
>
> > Announced:     July 14, 1998
> > Report code:   RSI.0008.08-18-98.ALL.RPC_PCNFSD
> > Report title:  All rpc.pcnfsd
> > Vulnerability: Please see the details section
> > Vendor status: IBM contacted on August 3, 1998
> >                Hewlett Packard contacted on August 3, 1998
> >                Sun Microsystems contacted on August 3, 1998
> >                Slackware contacted on August 3, 1998
> > Patch status:  Linux and AIX patch information is provided below
> > Platforms:     Vulnerable:
> >
> >                SunOS: 4.1.3, 4.1.4
> >                Solaris: 2.3, 2.4, 2.5, 2.5.1, 2.6
>
>
> OK, TurboLinux 2.0 is NOT vulnerable, and neither is Redhat 5.1 despite
> what it says up there.  Why?  Because neither TL nor RH 5.1 even include
> rpc.pcnfsd (checked by querying every RPM package in both distributions,
> grepping for 'pcnfs' -- no matches).


The same can be said about SunOS 4.x/Solaris 2.x; none of them include
rpc.pcnfsd.  PCNFSD is shipped as part of the PC NFS package.

Still Sun's responsibility.

I don't think Sun's latest patched rpc.pcnfsd is vulnerable to problem #2;
our suspicious check also checks for \ *and* the daemon quotes all arguments
passed to system with single quotes.  (And single quotes do quote newlines)

Strings on the latest rpc.pcnfsd (from patch 104445-01) gets me:

    \;|&<>`'#!?*()[]^/
    ps630 -s '%c%c' -p '%s' -f '
    ' -F '
    '  '
    /usr/bin/lp -c -d'%s' '%s'
    /usr/bin/lpstat '%s'
    /usr/bin/lpstat -a '%s' -p '%s'
    /usr/bin/cancel '%s'

Which seems to indicate that it will survive being passed '\ncommand\n'

The other problem does exist.

Casper