[ISN] [RSI-ALERT] RSI.0008.08-18-98.ALL.RPC_PCNFSD

From: mea culpa (jerichoat_private)
Date: Tue Aug 18 1998 - 17:21:28 PDT

  • Next message: mea culpa: "[ISN] Back Orifice in Business Week"

    Forwarded From: RSI Advise <adviseat_private>
    
    
    RSI.0008.08-18-98.ALL.RPC_PCNFSD
    
    
    
               |:::.  |::::: |::::.        |::::: |::::: |::::.
               ..  :: ..     ..  ::        ..     ..     ..  ::
               |::::  |::::  |::::  :::::: |::::: |::::  |:
               |:  :: |:     |:               |:: |:     |:  ::
               |:  :: |::::: |:            |::::: |::::: |:::::
    
    
                       Repent Security Incorporated, RSI
                           [ http://www.repsec.com ]
    
    
    		       *** RSI ALERT ADVISORY ***
     
    
    --- [CREDIT] --------------------------------------------------------------
    
    'Bermuda Brian': Research and development
    Mark Zielinski : Author of advisory
    
    
    --- [SUMMARY] -------------------------------------------------------------
    
    Announced:     July 14, 1998
    Report code:   RSI.0008.08-18-98.ALL.RPC_PCNFSD
    Report title:  All rpc.pcnfsd
    Vulnerability: Please see the details section 
    Vendor status: IBM contacted on August 3, 1998
                   Hewlett Packard contacted on August 3, 1998
                   Sun Microsystems contacted on August 3, 1998
                   Slackware contacted on August 3, 1998
    Patch status:  Linux and AIX patch information is provided below
    Platforms:     Vulnerable:
    
                   AIX: 4.0, 4.1, 4.2, 4.3
                   HP-UX: 7.x, 8.x, 9.x, 10.x, 11.x
                   SunOS: 4.1.3, 4.1.4
                   Solaris: 2.3, 2.4, 2.5, 2.5.1, 2.6
                   Redhat Linux: 4.0, 4.1, 4.2, 5.0, 5.1
                   Slackware Linux: 3.0, 3.1, 3.2, 3.3, 3.4, 3.5
                   OSF: 3.2
    
                   Not vulnerable: 
    
                   OpenBSD, FreeBSD, NetBSD, BSDI
    
    Reference:     http://www.repsec.com/advisories.html
    Impact:        If exploited, an attacker could potentially compromise
                   root access both locally and remotely on your server
    
    
    --- [DETAILS] -------------------------------------------------------------
    
    Description:   PCNFSD is a Remote Procedure Call used by NFS clients.
                   This service provides username and password authentication
                   for networked computers which have installed NFS client
                   software.
    
    
    Problem:       Two vulnerabilities are covered in this advisory which
                   both allow root access to be compromised.
    
    	       Vulnerable functions:
    	       ~~~~~~~~~~~~~~~~~~~~~ 
         
                   A. pr_init ()    : This function will create a spool
                                      directory for a client.  When
                                      passing data to this function, it
                                      calls secure () attempting to find
                                      any insecure characters.
    
                                      The list of characters that suspicious ()
                                      checks for are: ";|&<>`'!?*()[]^/".
    
                                      By sending a "." as the printer name,
                                      rpc.pcnfsd will attempt to make that
                                      directory and set the mode to 777.
                                      By doing this, an attacker sets the 
                                      main spool directory used by rpc.pcnfsd
                                      to world writeable.
    
                                      To exploit this, an attacker could
                                      locally set a symbolic link from 
                                      /var/spool/pcnfsd/printername to
                                      any other file on the system.
                                           
                                      Calling pr_init () with the name
                                      of the symbolically linked file will
                                      force rpc.pcnfsd to follow the symlink
                                      and change the destination file to mode
                                      777.
    
                   B. run_ps630 ()  : Upon system bootup, rpc.pcnfsd is
                                      started from the system rc files
                                      which are executed from the / directory.
    
                                      Because of this, rpc.pcnfsd will
                                      attempt to function out of the root
                                      directory (/).
    
                                      When run_ps630 () is called,
                                      it calls suspicious () to check
                                      for any insecure characters.
    
                                      The list of characters that secure ()
                                      checks for are: ";|&<>`'!?*()[]^/".
                                  
                                      If it detects that none of these
                                      characters are being used, it will
                                      call strcat () to append the data
                                      to a buffer and then run the
                                      data contained inside it with
                                      system ().
    
                                      By sending a \ncommand\n as the 
                                      printer, "." as the spool
                                      directory, and setting your client
                                      options to "d", arbitary commands
                                      can be executed remotely on the
                                      server as root.
                   
                   * Note           : AIX is not vulnerable to problem A, 
                                      and HP is only vulnerable to function 
                                      A in HP-UX 9.0, 10.0.
    
    
    --- [FIX] -----------------------------------------------------------------
    
    Solution:      Disable rpc.pcnfsd until an appropriate patch is
                   released for your operating system.
    
    
    --- [AIX PATCH] -----------------------------------------------------------
    
                   AIX users: IBM has provided the following patches in 
                   reponse to this vulnerability:
    
                   APAR 4.1.x: IX81505
                   APAR 4.2.x: IX81506
                   APAR 4.3.x: IX81507
    
                   Until the official APARs are available, a temporary 
                   fix can be downloaded via anonymous ftp from:
    
                   ftp://aix.software.ibm.com/aix/efixes/security/pcnfsd.tar.Z
    
    
    --- [LINUX PATCH] ---------------------------------------------------------
    
    Solution:      Working in conjunction with Patrick Volkerding and the
                   Slackware Linux development staff, RSI has produced the
                   following patches:
    
                   ftp://ftp.repsec.com/pub/repsec/0008.patch1
    
                   WARNING! The code quoted below is only fragments of each
                   patch! You must download each patch for it to work correctly.
    
                   0008.patch1 replaces the character set that is considered
                   suspicious and replaces it with a list of characters that
                   are allowed. The following two lines show the change:
    
    [snip...]
    
    -	if(strpbrk(s, ";|&<>`'#!?*()[]^/") != NULL)
    
    [snip...]
    
    +       if (strspn(s, "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_=:+1234567890@%,.")
    
    [snip...]
    
                   ---
    
                   ftp://ftp.repsec.com/pub/repsec/0008.patch2
    
                   0008.patch2 replaces the vulnerable code by removing the
                   chmod call, and utilizing umask. The following code fragments
                   have been stripped out of the patch to show the vulnerable 
                   pieces of code and the relevant fix. 
    
    [snip...]
    
    +        oldumask = umask(0);
    +        (void)sprintf(pathname,"%s/%s",sp_name, sys);
    +        (void)mkdir(sp_name, dir_mode); /* ignore the return code */
    +        rc = mkdir(pathname, dir_mode); /* DON'T ignore this return code */
    +        umask(oldumask);
    
    [snip...]
    
    -	(void)chmod(sp_name, dir_mode);
     	if((rc < 0 && errno != EEXIST) ||
    -	   (chmod(pathname, dir_mode) != 0) ||
     	   (stat(pathname, &statbuf) != 0) ||
     	   !(statbuf.st_mode & S_IFDIR)) {
     	   (void)sprintf(tempstr,
    
    
    --- [OTHER PATCHES] -------------------------------------------------------
    
                   SunOS, Solaris, HPUX, and OSF users should wait 
                   for their respective vendor to provide a patch.
    
    
    ---------------------------------------------------------------------------
    
    Repent Security Incorporated (RSI)
    13610 N. Scottsdale Rd.
    Suite #10-326
    Scottsdale, AZ 85254
    
    E-Mail: adviseat_private
    FTP: ftp://ftp.repsec.com
    WWW: http://www.repsec.com
    
    ---------------------------------------------------------------------------
    
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: 2.6.2
    
    mQCNAzU6dqAAAAEEAOHt9a5vevjD8ZjsEmncEbFp2U7aeqvPTcF/8FJMilgOVp75
    dshXvZixHsYU7flgCNzA7wLIQPWBQBrweLG6dx9gE9e5Ca6yAJxZg8wNsi06tZfP
    nvmvf6F/7xoWS5Ei4k3YKuzscxlyePNNKws6uUe2ZmwVoB+i3HHT44dOafMhAAUT
    tBpSZXBTZWMgPGFkdmlzZUByZXBzZWMuY29tPg==
    =ro8H
    -----END PGP PUBLIC KEY BLOCK-----
    
    Copyright August 1998  RepSec, Inc.
    
    The information in this document is provided as a service to customers
    of RepSec, Inc.  Neither RepSec, Inc., nor any of it's employees, makes
    any warranty, express or implied, or assumes any legal liability or
    responsibility for the accuracy, completeness, or usefulness of any
    information, apparatus, product, or process contained herein, or
    represents that its use would not infringe any privately owned rights.
    Reference herein to any specific commercial products, process, or
    services by trade name, trademark, manufacturer, or otherwise, does not
    necessarily constitute or imply its endorsement, recommendation or
    favoring by RepSec, Inc.  The views and opinions of authors express
    herein do no necessarily state or reflect those of RepSec, Inc., and may
    not be used for advertising or product endorsement purposes.
    
    RSI Member Alert Advisories are expressly prohibited from release of any
    and all information contained in this advisory, in any and all forms
    into the public domain by RepSec Members, their personnel,  or other
    related or affiliated personnel, to other advisory groups and/or other
    security incident response teams (both commercial and non-commercial) -
    during the period RSI Member Alert Advisories are released to RSI
    Member's only.  The material in this advisory alert may be reproduced
    and distributed, without permission, only after it has been released by
    RepSec, Inc. into the public domain.  After release by RepSec, Inc. into
    the public domain the material in this RSI Member Alert Advisory  may be
    reproduced and distributed, without permission in its entirety only,
    provided the copyright is kept intact and due credit is given to RepSec,
    Inc.
    
    Subject to the timing of release restrictions above, this RSI Advisory
    Alert may be reproduced and distributed, without permission, in its
    entirety only, by any person provided such reproduction and/or
    distribution is performed for non-commercial purposes and with the
    intent of increasing the awareness of the Internet community.
    
    ---------------------------------------------------------------------------
    
    RepSec, Inc. are trademarks of RepSec, Inc.  All other trademarks are
    property of their respective holders.
    
    Mark Zielinski
    
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: 2.6.2
    
    mQCNAzWmhPkAAAEEAKKFxAIWa6E/ey+3MU8EbeU8pBNXHJOu58weDb7LMHS/QbTF
    +kvZAWPz+BCMIBBnUn00N8WHm6wqFWG37f5IAzuXm1jy1WX8goCSSW/mpoFZUxxI
    avKfOc+NHAaeg6uRssIYZhvqlgQkb62JOQivHa/G8UgLdnBfnarRFJ9FQ825AAUR
    tA5NYXJrIFppZWxpbnNraQ==
    =B9D6
    -----END PGP PUBLIC KEY BLOCK-----
    
    
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:01:33 PDT