[8221] in bugtraq
Re: pcnfsd ...
daemon@ATHENA.MIT.EDU (Mark Zielinski)
Thu Oct 15 14:54:37 1998
Date: Wed, 14 Oct 1998 14:49:04 -0700
Reply-To: Mark Zielinski <markz@REPSEC.COM>
From: Mark Zielinski <markz@REPSEC.COM>
X-To: ga <duncan@mygale.org>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <3623D74D.2811@mygale.org>
On Tue, 13 Oct 1998, ga wrote:
...
> I didn't succeed to use the ps630() hole explained in rep sec advisory
> (same as pr_cancel() phf-like bug). It's because pcnfsd_print.c checks
> if the file really exists (and then tries to rename it with the .spl
> extension). Therefore, if the file doesn't exist then an error is
> returned. However, if a local user creates a filename in the
> /var/spool/pcnfs directory which is in fact the command to execute (ex :
> /var/spool/pcnfs/FILENAME\nwhoami\nBLAH) then ps630() will work indeed,
> executing the command as root). I didn't tried it though.
...
FYI,
The way to remotely exploit the ps630 function is by tricking pcnfsd
into detecting a file, which will then allow you to get to the vulnerable
code.
You can do this by sending a '.', which will be there.
Mark Zielinski
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQCNAzYUCT4AAAEEAMK5biZZdHzLxbLRW6Zox9z+8xNdFLxIn7JbHrt3CyavHWa/
QlnR4t5BjpLrBuGiBehvcwJ1MubQcxdJos4pfI3x2Rsp0Z65BblYGSLVCdAJZNiv
IYi1feG0cdkUj5LAMzZMmg2IbOzDxmIVGl9s4kGeEqF+A2LlIC/EfQLrMLJNAAUR
tA5NYXJrIFppZWxpbnNraQ==
=HhSk
-----END PGP PUBLIC KEY BLOCK-----
