Re: Rhino9 security advisory - rpc.pcnfsd

From: Oliver Friedrichs (oliverat_private)
Date: Wed Aug 19 1998 - 16:37:21 PDT

Next message: Huger, Alfred: "Re: Rhino9 security advisory - rpc.pcnfsd"

Previous message: Marc Slemko: "thttpd 2.04 released (fwd)"
Maybe in reply to: John McDonald: "Rhino9 security advisory - rpc.pcnfsd"
Next in thread: Huger, Alfred: "Re: Rhino9 security advisory - rpc.pcnfsd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 19 Aug 1998, John McDonald wrote:

>         As pointed out in the Repsec advisory, the suspicious() function
> does not check for several shell meta-characters, which allows the
> newline, and on some operating systems, the '/' character to be passed.
> This allows for the exploitation of the run_ps630 system() call, as
> documented in the advisory. However, this oversight in the suspicious()
> function also allows for an attacker to manipulate the pr_cancel()
> function to gain access to the machine. Specifically, an attacker will
> have to invoke pr_cancel with a valid printer name, a valid user name,
> and a printer id containing the crafted exploit string. The printer id
> will be passed through the suspicious() function, and then run through a
> shell in the su_popen() function. As far as obtaining a valid printer id,
> some implementations unilaterally accept "lp" as a valid printer, but
> this is not a concern because the attack can request a list of the valid
> printers with the pr_list RPC call. As the third vulnerability addresses,
> it is easy for an attacker to get a list of valid usernames out of
> rpc.pcnfsd.

I should mention that both the RepSec and Rhino advisories document bugs
which were found and documented 2 years ago.

The su_popen vulnerability appears to be fixed in the pcnfsd availible on
cert.org, which does not filter out specific bad characters, but rather
only allows safe characters through:

!       static char ok_chars[] =
!"1234567890@%-_=+:,.abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";

Both the vulnerable chmod and the su_popen functions were documented in
the CA-96.08.pcnfsd.

The mkdir bug is somewhat different, however, only because the previous
fix wasn't sufficient enough to prevent it.  The result is the same, the
ability to change arbitrary permissions to 777.  Unfortunately whoever
fixed this originally, didnt see far enough into it.

Now nobody has even touched on the heaps of buffer overflows in pcnfsd.
Hopefully most strings are passed through the above version of
suspicious(), therefore limiting the number of instructions that someone
could execute.. but some instructions can be executed with printable
characters.

- Oliver

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   Network Associates, Inc.                                 (408) 346-3304

Next message: Huger, Alfred: "Re: Rhino9 security advisory - rpc.pcnfsd"
Previous message: Marc Slemko: "thttpd 2.04 released (fwd)"
Maybe in reply to: John McDonald: "Rhino9 security advisory - rpc.pcnfsd"
Next in thread: Huger, Alfred: "Re: Rhino9 security advisory - rpc.pcnfsd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:11 PDT