Hi Gurus,
Have any of you heard anything about patches for this available from DEC? I
searched through the public ftp site and on their web Comet site with no
luck. Any pointers will be welcomed and summarized!
Thank you!
Sheryl
_______________________________________________________________________________
CERT Advisory follows below...
_______________________________________________________________________________
>Date: Thu, 18 Apr 1996 14:56:48 -0400
>From: CERT Advisory <cert-advisory_at_cert.org>
>To: cert-advisory_at_cert.org
>Subject: CERT Advisory CA-96.08 - Vulnerabilities in PCNFSD
>Reply-To: cert-advisory-request_at_cert.org
>Organization: CERT(sm) Coordination Center - +1 412-268-7090
>
>=============================================================================
>CERT(sm) Advisory CA-96.08
>April 18, 1996
>
>Topic: Vulnerabilities in PCNFSD
>
>-----------------------------------------------------------------------------
>
>The CERT Coordination Center has received reports of two
>vulnerabilities in the pcnfsd program (pcnfsd is also known as
>rpc.pcnfsd); we have also received reports that these problems are
>being exploited. These vulnerabilities are present in some
>vendor-provided versions of pcnfsd and in some publicly available
>versions.
>
>These two vulnerabilities were reported by Avalon Security Research in
>reports entitled "pcnfsd."
>
>If you are using a vendor-supplied version of pcnfsd, please see the
>vendor information in Section III.A and Appendix A. Until you can install
>a patch from your vendor for these vulnerabilities, consider using the
>publicly available version described in Section III.B.
>
>If you already use or plan to switch to a public version, we urge you
>to use the version cited in Section III.B or install the patch
>described in Section III.C. This patch has already been incorporated
>into the pcnfsd version described in III.B. There are many different
>public domain versions of pcnfsd, and we have not analyzed the
>vulnerability of those versions. We have analyzed and fixed the
>problems noted in this advisory only in the version described in III.B.
>
>As we receive additional information relating to this advisory, we will
>place it in:
>
> ftp://info.cert.org/pub/cert_advisories/CA-96.08.README
>
>We encourage you to check our README files regularly for updates on
>advisories that relate to your site.
>
>-----------------------------------------------------------------------------
>
>I. Description
>
> The pcnfsd program (also called rpc.pcnfsd) is an authentication and
> printing program that runs on a UNIX server. There are many publicly
> available versions, and several vendors supply their own version.
>
> pcnfsd supports a printing model that uses NFS to transfer files from
> a client to the pcnfsd server. (Note: pcnfsd does *not* provide NFS
> services.) When a client wants to print a file, it requests the path
> to a spool directory from the server. The client then writes the necessary
> files for printing using NFS, and informs the pcnfsd server that the
> files are ready for printing.
>
> pcnfsd creates a subdirectory for each of its clients using the client's
> hostname, then returns this path name to the client. The returned path
> name must be exported via to its clients by the NFS server. The
> NFS server and the pcnfsd server may be two separate machines.
>
> The first vulnerability is that pcnfsd, which runs as root, creates the
> aforementioned directories with mkdir(2) and then changes their mode
> with chmod(2) to mode 777. If the target directory is replaced with a
> symbolic link pointing to a restricted file or directory, the mkdir(2)
> will fail but the chmod(2) will succeed. This means that the target of
> the symbolic link will be mode 777.
>
> Note that pcnfsd must run as root when servicing print requests so that
> it can assume the identity of the PC user when interacting with UNIX
> print commands. On some systems, pcnfsd may also have to run as root so
> it can read restricted files when carrying out authentication tasks.
>
> The second vulnerability is that pcnfsd calls the system(3) subroutine
> as root, and the string passed to system(3) can be influenced by the
> arguments given in the remote procedure call. Remote users can execute
> arbitrary commands on the machine where pcnfsd runs.
>
>
>II. Impact
>
> For the first vulnerability, local users can change the permissions on
> any file accessible to the local system that the root user can change.
> For the second vulnerability, remote users can execute arbitrary commands
> as root on the machine where pcnfsd runs.
>
>
>III. Solution
>
> If you are using pcnfsd from a vendor, consult the vendor list in
> Section A. If your vendor is not listed, we recommend that you
> contact your vendor directly.
>
> Until a vendor patch is available, we recommend that you obtain the
> publicly available version of pcnfsd as described in Section B. This
> version already has the patch described in Section C.
>
> If you are presently using a public version of pcnfsd, we recommend
> that you either change to the version listed in Section B or apply the
> patch described in Section C. (The version in Section B already contains
> this patch.)
>
> A. Obtain and install the appropriate patch according to the
> instructions included with the patch.
>
> Below is a list of the vendors who have reported to us as of the date
> of this advisory. More complete information, including how to obtain
> patches, is provided in the appendix of this advisory and reproduced
> in the CA-96.xx.README file. We will update the README file as we
> receive more information.
>
> If your vendor's name is not on this list, please contact the vendor
> directly.
>
> Vendor or Source Status
> ---------------- ------------
> BSDI BSD/OS Vulnerable. Patch available.
> Hewlett Packard Vulnerable. Patch under development.
> IBM AIX 3.2 Vulnerable. Patches available.
> IBM AIX 4.1 Vulnerable. Patches available.
> NEXTSTEP Vulnerable. Will be fixed in version 4.0.
> SCO OpenServer 5 Vulnerable. Patch under development.
> SCO UnixWare 2.1 Vulnerable. Patch under development.
> SGI IRIX 5.3 Vulnerable. Patch under development.
> SGI IRIX 6.2 Not vulnerable.
>
>
> B. Until you are able to install the appropriate patch, we recommend
> that you obtain a version of pcnfsd from one of the following
> locations. This version already has the patch mentioned in
> Section III.C and included in Appendix B.
>
> ftp://ftp.cert.org/pub/tools/pcnfsd/pcnfsd.93.02.16-cert-dist.tar.Z
> ftp://ftp.cert.dfn.de/pub/tools/net/pcnfsd/pcnfsd.93.02.16-cert-dist.tar.Z
>
> MD5 (pcnfsd.93.02.16-cert-dist.tar.Z) = b7af99a07dfcf24b3da3446d073f8649
>
> Build, install, and restart rpc.pcnfsd.
>
> Ensure that the mode of the top-level pcnfsd spool directory is 755.
> In this version of pcnfsd, the top level spool directory is
> /usr/spool/pcnfs. To change this to mode 755, do the following as
> root:
>
> chmod 755 /usr/spool/pcnfs
>
>
> C. Appendix B contains a patch for the two vulnerabilities described
> in this advisory. Apply the patch using the GNU patch utility or
> by hand as necessary. Rebuild, reinstall, and restart rpc.pcnfsd.
> Set the mode of the top-level pcnfsd spool directory to 755.
>
> For example, in the version of pcnfsd cited in Section B, the top
> level spool directory is /usr/spool/pcnfs. To change this to mode
> 755, do the following as root:
>
> chmod 755 /usr/spool/pcnfs
>
>
>---------------------------------------------------------------------------
>The CERT Coordination Center thanks Josh D., Ben G., and Alfred H. of
>Avalon Security Research for providing information for this advisory.
>We thank Wolfgang Ley of DFN-CERT for his help in understanding these
>problems.
>---------------------------------------------------------------------------
>
>If you believe that your system has been compromised, contact the CERT
>Coordination Center or your representative in the Forum of Incident
>Response and Security Teams (FIRST).
>
>We strongly urge you to encrypt any sensitive information you send by email.
>The CERT Coordination Center can support a shared DES key and PGP. Contact the
>CERT staff for more information.
>
>Location of CERT PGP key
> ftp://info.cert.org/pub/CERT_PGP.key
>
>CERT Contact Information
>------------------------
>Email cert_at_cert.org
>
>Phone +1 412-268-7090 (24-hour hotline)
> CERT personnel answer 8:30-5:00 p.m. EST
> (GMT-5)/EDT(GMT-4), and are on call for
> emergencies during other hours.
>
>Fax +1 412-268-6989
>
>Postal address
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> USA
>
>CERT publications, information about FIRST representatives, and other
>security-related information are available for anonymous FTP from
> http://www.cert.org/
> ftp://info.cert.org/pub/
>
>CERT advisories and bulletins are also posted on the USENET newsgroup
> comp.security.announce
>
>To be added to our mailing list for CERT advisories and bulletins, send your
>email address to
> cert-advisory-request_at_cert.org
>
>
>Copyright 1996 Carnegie Mellon University
>This material may be reproduced and distributed without permission provided it
>is used for noncommercial purposes and the copyright statement is included.
>
>CERT is a service mark of Carnegie Mellon University.
>
>.........................................................................
>Appendix A: Vendor Information
>
>Current as of April 18, 1996
>See CA-96.08.README for updated information.
>
>Below is information we have received from vendors concerning the
>vulnerability described in this advisory. If you do not see your vendor's
>name, please contact the vendor directly for information.
>
>Berkeley Software Design, Inc. (BSDI)
>=====================================
>The problem described in these vulnerabilities is present in all versions
>of BSD/OS. There is a patch (our patch number U210-007) for our 2.1 version
>of BSD/OS and associated products available from our patch and ftp servers
><patches_at_BSDI.> or ftp://ftp.BSDI.COM/bsdi/patches/patches-2.1/U210-007
>
>
>Hewlett-Packard Company
>=======================
>Patches in process, watch for HP an security bulletin for this
>vulnerability.
>
>
>IBM Corporation
>===============
> See the appropriate release below to determine your action.
>
>
> AIX 3.2
> -------
> Apply the following fixes to your system:
>
> APAR - IX57623 (PTF - U442633)
> APAR - IX56965 (PTF - U442638)
>
> To determine if you have these PTFs on your system, run the following
> commands:
>
> lslpp -lB U442633
> lslpp -lB U442638
>
>
> AIX 4.1
> -------
> Apply the following fixes to your system:
>
> APAR - IX57616
> APAR - IX56730
>
> To determine if you have these APARs on your system, run the following
> commands:
>
> instfix -ik IX57616
> instfix -ik IX56730
>
>
> To Order
> --------
> APARs may be ordered using FixDist or from the IBM Support Center.
> For more information on FixDist, reference URL:
>
> http://aix.boulder.ibm.com/pbin-usa/fixdist.pl/
>
> or send e-mail to aixserv_at_austin.ibm.com with a subject of "FixDist".
>
>
> IBM and AIX are registered trademarks of International Business Machines
> Corporation.
>
>
>NeXT Software, Inc.
>===================
>NEXTSTEP is vulnerable. This will be fixed in the 4.0 release of
>OpenStep for Mach (aka NEXTSTEP 4.0, due out 2Q96).
>
>
>The Santa Cruz Operation, Inc.
>==============================
>Patches for pcnfsd are currently being developed for the
>following releases:
>
>SCO OpenServer 5
>SCO UnixWare 2.1.
>
>These releases, as well as all prior releases, are vulnerable to
>both issues mentioned in the advisory. Should you not need to use
>pcnfs, SCO recommends that you not run pcnfsd. This can be done
>by commenting out pcnfsd in the appropriate script that starts
>pcnfsd, located in /etc/rc2.d.
>
>The README file for this advisory will be updated when further patch
>information is available.
>
>
>Silicon Graphics Corporation
>============================
>pcnfsd was only released for IRIX 5.3 and IRIX 6.2.
>SGI is producing patch1179 for IRIX 5.3.
>IRIX 6.2 is not vulnerable.
>
>
>.........................................................................
>Appendix B: Patch Information
>
>Here is the patch for pcnfsd_print.c. It is also available as:
>
> ftp://ftp.cert.org/pub/tools/pcnfsd/pcnfsd_print.c.diffs
> ftp://ftp.cert.dfn.de/pub/tools/net/pcnfsd/pcnfsd_print.c.diffs
>
> MD5 (pcnfsd_print.c-diffs) = ec44046ff5c769aa5bf2d8d155b61f1f
>
>---------------------------------CUT HERE---------------------------------
>*** /tmp/T0a002c1 Fri Apr 5 13:14:50 1996
>--- pcnfsd_print.c Fri Apr 5 13:14:46 1996
>***************
>*** 221,226 ****
>--- 221,227 ----
> {
> int dir_mode = 0777;
> int rc;
>+ mode_t oldmask;
>
> *sp = &pathname[0];
> pathname[0] = '\0';
>***************
>*** 231,241 ****
> /* get pathname of current directory and return to client */
>
> (void)sprintf(pathname,"%s/%s",sp_name, sys);
> (void)mkdir(sp_name, dir_mode); /* ignore the return code */
>- (void)chmod(sp_name, dir_mode);
> rc = mkdir(pathname, dir_mode); /* DON'T ignore this return code */
> if((rc < 0 && errno != EEXIST) ||
>- (chmod(pathname, dir_mode) != 0) ||
> (stat(pathname, &statbuf) != 0) ||
> !(statbuf.st_mode & S_IFDIR)) {
> (void)sprintf(tempstr,
>--- 232,242 ----
> /* get pathname of current directory and return to client */
>
> (void)sprintf(pathname,"%s/%s",sp_name, sys);
>+ oldmask = umask(0);
> (void)mkdir(sp_name, dir_mode); /* ignore the return code */
> rc = mkdir(pathname, dir_mode); /* DON'T ignore this return code */
>+ umask(oldmask);
> if((rc < 0 && errno != EEXIST) ||
> (stat(pathname, &statbuf) != 0) ||
> !(statbuf.st_mode & S_IFDIR)) {
> (void)sprintf(tempstr,
>***************
>*** 381,387 ****
> ** filter with the appropriate arguments.
> **------------------------------------------------------
> */
>! (void)run_ps630(new_pathname, opts);
> }
> /*
> ** Try to match to an aliased printer
>--- 382,391 ----
> ** filter with the appropriate arguments.
> **------------------------------------------------------
> */
>! (void)sprintf(tempstr,
>! "rpc.pcnfsd: ps630 filter disabled for %s\n",
pathname);
>! msg_out(tempstr);
>! return(PS_RES_FAIL);
> }
> /*
> ** Try to match to an aliased printer
>---------------------------------CUT HERE---------------------------------
>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Sheryl A. Campbell Internet: campbell_at_lvc.edu %
% Assistant Director Voice: (717)867-6060 %
% Administrative Computing FAX: (717)867-6019 %
% %
% L E B A N O N V A L L E Y C O L L E G E %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Received on Fri Apr 19 1996 - 23:20:36 NZST