>On Tue, 18 Aug 1998, RSI Advise wrote:
>
>> Announced: July 14, 1998
>> Report code: RSI.0008.08-18-98.ALL.RPC_PCNFSD
>> Report title: All rpc.pcnfsd
>> Vulnerability: Please see the details section
>> Vendor status: IBM contacted on August 3, 1998
>> Hewlett Packard contacted on August 3, 1998
>> Sun Microsystems contacted on August 3, 1998
>> Slackware contacted on August 3, 1998
>> Patch status: Linux and AIX patch information is provided below
>> Platforms: Vulnerable:
>>
>> SunOS: 4.1.3, 4.1.4
>> Solaris: 2.3, 2.4, 2.5, 2.5.1, 2.6
>
>
>OK, TurboLinux 2.0 is NOT vulnerable, and neither is Redhat 5.1 despite
>what it says up there. Why? Because neither TL nor RH 5.1 even include
>rpc.pcnfsd (checked by querying every RPM package in both distributions,
>grepping for 'pcnfs' -- no matches).
The same can be said about SunOS 4.x/Solaris 2.x; none of them include
rpc.pcnfsd. PCNFSD is shipped as part of the PC NFS package.
Still Sun's responsibility.
I don't think Sun's latest patched rpc.pcnfsd is vulnerable to problem #2;
our suspicious check also checks for \ *and* the daemon quotes all arguments
passed to system with single quotes. (And single quotes do quote newlines)
Strings on the latest rpc.pcnfsd (from patch 104445-01) gets me:
\;|&<>`'#!?*()[]^/
ps630 -s '%c%c' -p '%s' -f '
' -F '
' '
/usr/bin/lp -c -d'%s' '%s'
/usr/bin/lpstat '%s'
/usr/bin/lpstat -a '%s' -p '%s'
/usr/bin/cancel '%s'
Which seems to indicate that it will survive being passed '\ncommand\n'
The other problem does exist.
Casper
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:01 PDT