>On Tue, 18 Aug 1998, RSI Advise wrote: > >> Announced: July 14, 1998 >> Report code: RSI.0008.08-18-98.ALL.RPC_PCNFSD >> Report title: All rpc.pcnfsd >> Vulnerability: Please see the details section >> Vendor status: IBM contacted on August 3, 1998 >> Hewlett Packard contacted on August 3, 1998 >> Sun Microsystems contacted on August 3, 1998 >> Slackware contacted on August 3, 1998 >> Patch status: Linux and AIX patch information is provided below >> Platforms: Vulnerable: >> >> SunOS: 4.1.3, 4.1.4 >> Solaris: 2.3, 2.4, 2.5, 2.5.1, 2.6 > > >OK, TurboLinux 2.0 is NOT vulnerable, and neither is Redhat 5.1 despite >what it says up there. Why? Because neither TL nor RH 5.1 even include >rpc.pcnfsd (checked by querying every RPM package in both distributions, >grepping for 'pcnfs' -- no matches). The same can be said about SunOS 4.x/Solaris 2.x; none of them include rpc.pcnfsd. PCNFSD is shipped as part of the PC NFS package. Still Sun's responsibility. I don't think Sun's latest patched rpc.pcnfsd is vulnerable to problem #2; our suspicious check also checks for \ *and* the daemon quotes all arguments passed to system with single quotes. (And single quotes do quote newlines) Strings on the latest rpc.pcnfsd (from patch 104445-01) gets me: \;|&<>`'#!?*()[]^/ ps630 -s '%c%c' -p '%s' -f ' ' -F ' ' ' /usr/bin/lp -c -d'%s' '%s' /usr/bin/lpstat '%s' /usr/bin/lpstat -a '%s' -p '%s' /usr/bin/cancel '%s' Which seems to indicate that it will survive being passed '\ncommand\n' The other problem does exist. Casper
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:01 PDT