[7705] in bugtraq
Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD
daemon@ATHENA.MIT.EDU (Casper Dik)
Wed Aug 19 09:12:05 1998
Date: Wed, 19 Aug 1998 12:00:16 +0200
Reply-To: Casper Dik <casper@HOLLAND.SUN.COM>
From: Casper Dik <casper@HOLLAND.SUN.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Wed, 19 Aug 1998 17:56:47 +0900."
<Pine.LNX.3.96LJ1.1b7.980819175404.18277L-100000@ume.pht.co.jp>
>On Tue, 18 Aug 1998, RSI Advise wrote:
>
>> Announced: July 14, 1998
>> Report code: RSI.0008.08-18-98.ALL.RPC_PCNFSD
>> Report title: All rpc.pcnfsd
>> Vulnerability: Please see the details section
>> Vendor status: IBM contacted on August 3, 1998
>> Hewlett Packard contacted on August 3, 1998
>> Sun Microsystems contacted on August 3, 1998
>> Slackware contacted on August 3, 1998
>> Patch status: Linux and AIX patch information is provided below
>> Platforms: Vulnerable:
>>
>> SunOS: 4.1.3, 4.1.4
>> Solaris: 2.3, 2.4, 2.5, 2.5.1, 2.6
>
>
>OK, TurboLinux 2.0 is NOT vulnerable, and neither is Redhat 5.1 despite
>what it says up there. Why? Because neither TL nor RH 5.1 even include
>rpc.pcnfsd (checked by querying every RPM package in both distributions,
>grepping for 'pcnfs' -- no matches).
The same can be said about SunOS 4.x/Solaris 2.x; none of them include
rpc.pcnfsd. PCNFSD is shipped as part of the PC NFS package.
Still Sun's responsibility.
I don't think Sun's latest patched rpc.pcnfsd is vulnerable to problem #2;
our suspicious check also checks for \ *and* the daemon quotes all arguments
passed to system with single quotes. (And single quotes do quote newlines)
Strings on the latest rpc.pcnfsd (from patch 104445-01) gets me:
\;|&<>`'#!?*()[]^/
ps630 -s '%c%c' -p '%s' -f '
' -F '
' '
/usr/bin/lp -c -d'%s' '%s'
/usr/bin/lpstat '%s'
/usr/bin/lpstat -a '%s' -p '%s'
/usr/bin/cancel '%s'
Which seems to indicate that it will survive being passed '\ncommand\n'
The other problem does exist.
Casper
