On Tue, 13 Oct 1998, ga wrote: ... > I didn't succeed to use the ps630() hole explained in rep sec advisory > (same as pr_cancel() phf-like bug). It's because pcnfsd_print.c checks > if the file really exists (and then tries to rename it with the .spl > extension). Therefore, if the file doesn't exist then an error is > returned. However, if a local user creates a filename in the > /var/spool/pcnfs directory which is in fact the command to execute (ex : > /var/spool/pcnfs/FILENAME\nwhoami\nBLAH) then ps630() will work indeed, > executing the command as root). I didn't tried it though. ... FYI, The way to remotely exploit the ps630 function is by tricking pcnfsd into detecting a file, which will then allow you to get to the vulnerable code. You can do this by sending a '.', which will be there. Mark Zielinski -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzYUCT4AAAEEAMK5biZZdHzLxbLRW6Zox9z+8xNdFLxIn7JbHrt3CyavHWa/ QlnR4t5BjpLrBuGiBehvcwJ1MubQcxdJos4pfI3x2Rsp0Z65BblYGSLVCdAJZNiv IYi1feG0cdkUj5LAMzZMmg2IbOzDxmIVGl9s4kGeEqF+A2LlIC/EfQLrMLJNAAUR tA5NYXJrIFppZWxpbnNraQ== =HhSk -----END PGP PUBLIC KEY BLOCK-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:19:44 PDT