[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CERT Advisory CA-96.08 - Vulnerabilities in PCNFSD



>Path: news.sigmasoft.com!news.tetherless.net!news.zeitgeist.net!bdt.com!hal.COM!nntp-sc.barrnet.net!news.fujitsu.com!amdahl.com!amd!decwrl!genmagic!sgigate.sgi.com!swrinde!howland.reston.ans.net!math.ohio-state.edu!magnus.acs.ohio-state.edu!news.cis.ohio-state.edu!nntp.sei.cmu.edu!news.sei.cmu.edu!cert-advisory
>From: CERT Advisory <cert-advisory_(_at_)_cert_(_dot_)_org>
>Newsgroups: comp.security.announce
>Subject: CERT Advisory CA-96.08 - Vulnerabilities in PCNFSD
>Date: 18 Apr 1996 19:00:45 GMT
>Organization: CERT(sm) Coordination Center -  +1 412-268-7090
>Lines: 383
>Approved: cert-advisory_(_at_)_cert_(_dot_)_org
>Distribution: world
>Message-ID: <4l63gt$gk3_(_at_)_news_(_dot_)_sei_(_dot_)_cmu_(_dot_)_edu>
>Reply-To: cert-advisory-request_(_at_)_cert_(_dot_)_org
>NNTP-Posting-Host: why.cert.org
>Keywords: security CERT
>Originator: cert-advisory_(_at_)_cert_(_dot_)_org
>Originator: cert-advisory_(_at_)_why_(_dot_)_cert_(_dot_)_org
>
=============================================================================
CERT(sm) Advisory CA-96.08                       
April 18, 1996

Topic: Vulnerabilities in PCNFSD

-----------------------------------------------------------------------------

The CERT Coordination Center has received reports of two
vulnerabilities in the pcnfsd program (pcnfsd is also known as
rpc.pcnfsd); we have also received reports that these problems are
being exploited. These vulnerabilities are present in some
vendor-provided versions of pcnfsd and in some publicly available
versions.

These two vulnerabilities were reported by Avalon Security Research in
reports entitled "pcnfsd."

If you are using a vendor-supplied version of pcnfsd, please see the
vendor information in Section III.A and Appendix A. Until you can install
a patch from your vendor for these vulnerabilities, consider using the
publicly available version described in Section III.B.

If you already use or plan to switch to a public version, we urge you
to use the version cited in Section III.B or install the patch
described in Section III.C. This patch has already been incorporated
into the pcnfsd version described in III.B. There are many different
public domain versions of pcnfsd, and we have not analyzed the
vulnerability of those versions. We have analyzed and fixed the
problems noted in this advisory only in the version described in III.B.

As we receive additional information relating to this advisory, we will
place it in:

        ftp://info.cert.org/pub/cert_advisories/CA-96.08.README

We encourage you to check our README files regularly for updates on
advisories that relate to your site.

-----------------------------------------------------------------------------

I.   Description

     The pcnfsd program (also called rpc.pcnfsd) is an authentication and
     printing program that runs on a UNIX server. There are many publicly
     available versions, and several vendors supply their own version.

     pcnfsd supports a printing model that uses NFS to transfer files from
     a client to the pcnfsd server. (Note: pcnfsd does *not* provide NFS
     services.)  When a client wants to print a file, it requests the path
     to a spool directory from the server. The client then writes the necessary
     files for printing using NFS, and informs the pcnfsd server that the
     files are ready for printing. 
          
     pcnfsd creates a subdirectory for each of its clients using the client's
     hostname, then returns this path name to the client. The returned path
     name must be exported via to its clients by the NFS server. The
     NFS server and the pcnfsd server may be two separate machines.

     The first vulnerability is that pcnfsd, which runs as root, creates the
     aforementioned directories with mkdir(2) and then changes their mode
     with chmod(2) to mode 777. If the target directory is replaced with a
     symbolic link pointing to a restricted file or directory, the mkdir(2)
     will fail but the chmod(2) will succeed. This means that the target of
     the symbolic link will be mode 777. 

     Note that pcnfsd must run as root when servicing print requests so that
     it can assume the identity of the PC user when interacting with UNIX
     print commands. On some systems, pcnfsd may also have to run as root so
     it can read restricted files when carrying out authentication tasks.

     The second vulnerability is that pcnfsd calls the system(3) subroutine
     as root, and the string passed to system(3) can be influenced by the
     arguments given in the remote procedure call. Remote users can execute
     arbitrary commands on the machine where pcnfsd runs.


II.  Impact

     For the first vulnerability, local users can change the permissions on
     any file accessible to the local system that the root user can change.
     For the second vulnerability, remote users can execute arbitrary commands
     as root on the machine where pcnfsd runs. 
     

III. Solution

     If you are using pcnfsd from a vendor, consult the vendor list in
     Section A. If your vendor is not listed, we recommend that you
     contact your vendor directly. 
     
     Until a vendor patch is available, we recommend that you obtain the
     publicly available version of pcnfsd as described in Section B. This
     version already has the patch described in Section C. 
     
     If you are presently using a public version of pcnfsd, we recommend
     that you either change to the version listed in Section B or apply the
     patch described in Section C. (The version in Section B already contains
     this patch.)

     A.  Obtain and install the appropriate patch according to the
         instructions included with the patch.

         Below is a list of the vendors who have reported to us as of the date
         of this advisory. More complete information, including how to obtain
         patches, is provided in the  appendix of this advisory and reproduced
         in the CA-96.xx.README file. We will update the README file as we 
         receive more information.

         If your vendor's name is not on this list, please contact the vendor
         directly.

         Vendor or Source          Status
         ----------------          ------------
         BSDI BSD/OS               Vulnerable. Patch available.
         Hewlett Packard           Vulnerable. Patch under development.
         IBM AIX 3.2               Vulnerable. Patches available.
         IBM AIX 4.1               Vulnerable. Patches available.
         NEXTSTEP                  Vulnerable. Will be fixed in version 4.0.
         SCO OpenServer 5          Vulnerable. Patch under development.
         SCO UnixWare 2.1          Vulnerable. Patch under development.
         SGI IRIX 5.3              Vulnerable. Patch under development.
         SGI IRIX 6.2              Not vulnerable.


     B.  Until you are able to install the appropriate patch, we recommend
         that you obtain a version of pcnfsd from one of the following
         locations. This version already has the patch mentioned in 
         Section III.C and included in Appendix B.

     ftp://ftp.cert.org/pub/tools/pcnfsd/pcnfsd.93.02.16-cert-dist.tar.Z
     ftp://ftp.cert.dfn.de/pub/tools/net/pcnfsd/pcnfsd.93.02.16-cert-dist.tar.Z

     MD5 (pcnfsd.93.02.16-cert-dist.tar.Z) = b7af99a07dfcf24b3da3446d073f8649

         Build, install, and restart rpc.pcnfsd. 

         Ensure that the mode of the top-level pcnfsd spool directory is 755.
         In this version of pcnfsd, the top level spool directory is
         /usr/spool/pcnfs. To change this to mode 755, do the following as
         root:  

                chmod 755 /usr/spool/pcnfs

         
     C.  Appendix B contains a patch for the two vulnerabilities described
         in this advisory. Apply the patch using the GNU patch utility or
         by hand as necessary. Rebuild, reinstall, and restart rpc.pcnfsd.
         Set the mode of the top-level pcnfsd spool directory to 755.

         For example, in the version of pcnfsd cited in Section B, the top
         level spool directory is /usr/spool/pcnfs. To change this to mode
         755, do the following as root: 

                chmod 755 /usr/spool/pcnfs
                

---------------------------------------------------------------------------
The CERT Coordination Center thanks Josh D., Ben G., and Alfred H. of
Avalon Security Research for providing information for this advisory.
We thank Wolfgang Ley of DFN-CERT for his help in understanding these
problems.
---------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (FIRST).

We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact the
CERT staff for more information. 

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

CERT Contact Information
------------------------
Email    cert_(_at_)_cert_(_dot_)_org

Phone    +1 412-268-7090 (24-hour hotline)
        CERT personnel answer 8:30-5:00 p.m. EST
        (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
        http://www.cert.org/
        ftp://info.cert.org/pub/

CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request_(_at_)_cert_(_dot_)_org


Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the copyright statement is included.

CERT is a service mark of Carnegie Mellon University.

.........................................................................     
Appendix A: Vendor Information

Current as of April 18, 1996
See CA-96.08.README for updated information.

Below is information we have received from vendors concerning the
vulnerability described in this advisory. If you do not see your vendor's
name, please contact the vendor directly for information.

Berkeley Software Design, Inc. (BSDI)
=====================================
The problem described in these vulnerabilities is present in all versions
of BSD/OS.  There is a patch (our patch number U210-007) for our 2.1 version
of BSD/OS and associated products available from our patch and ftp servers
<patches_(_at_)_BSDI_(_dot_)_> or ftp://ftp.BSDI.COM/bsdi/patches/patches-2.1/U210-007


Hewlett-Packard Company
=======================
Patches in process, watch for HP an security bulletin for this
vulnerability.


IBM Corporation
===============
  See the appropriate release below to determine your action.


  AIX 3.2
  -------
    Apply the following fixes to your system:

       APAR - IX57623 (PTF - U442633)
       APAR - IX56965 (PTF - U442638)

    To determine if you have these PTFs on your system, run the following
    commands:

       lslpp -lB U442633
       lslpp -lB U442638


  AIX 4.1
  -------
    Apply the following fixes to your system:

        APAR - IX57616
        APAR - IX56730

    To determine if you have these APARs on your system, run the following
    commands:

       instfix -ik IX57616
       instfix -ik IX56730


  To Order
  --------
    APARs may be ordered using FixDist or from the IBM Support Center.
    For more information on FixDist, reference URL:

       http://aix.boulder.ibm.com/pbin-usa/fixdist.pl/

    or send e-mail to aixserv_(_at_)_austin_(_dot_)_ibm_(_dot_)_com with a subject of "FixDist".


  IBM and AIX are registered trademarks of International Business Machines
  Corporation.


NeXT Software, Inc.
===================
NEXTSTEP is vulnerable.  This will be fixed in the 4.0 release of
OpenStep for Mach (aka NEXTSTEP 4.0, due out 2Q96).


The Santa Cruz Operation, Inc.
==============================
Patches for pcnfsd are currently being developed for the 
following releases:

SCO OpenServer 5
SCO UnixWare 2.1.

These releases, as well as all prior releases, are vulnerable to 
both issues mentioned in the advisory. Should you not need to use 
pcnfs, SCO recommends that you not run pcnfsd. This can be done 
by commenting out pcnfsd in the appropriate script that starts
pcnfsd, located in /etc/rc2.d.

The README file for this advisory will be updated when further patch 
information is available.


Silicon Graphics Corporation
============================
pcnfsd was only released for IRIX 5.3 and IRIX 6.2.
SGI is producing patch1179 for IRIX 5.3.
IRIX 6.2 is not vulnerable.


.........................................................................     
Appendix B: Patch Information

Here is the patch for pcnfsd_print.c. It is also available as:

        ftp://ftp.cert.org/pub/tools/pcnfsd/pcnfsd_print.c.diffs
        ftp://ftp.cert.dfn.de/pub/tools/net/pcnfsd/pcnfsd_print.c.diffs

        MD5 (pcnfsd_print.c-diffs) = ec44046ff5c769aa5bf2d8d155b61f1f

---------------------------------CUT HERE---------------------------------
*** /tmp/T0a002c1       Fri Apr  5 13:14:50 1996
--- pcnfsd_print.c      Fri Apr  5 13:14:46 1996
***************
*** 221,226 ****
--- 221,227 ----
  {
  int    dir_mode = 0777;
  int rc;
+ mode_t oldmask;
  
        *sp = &pathname[0];
        pathname[0] = '\0';
***************
*** 231,241 ****
        /* get pathname of current directory and return to client */
  
        (void)sprintf(pathname,"%s/%s",sp_name, sys);
        (void)mkdir(sp_name, dir_mode); /* ignore the return code */
-       (void)chmod(sp_name, dir_mode);
        rc = mkdir(pathname, dir_mode); /* DON'T ignore this return code */
        if((rc < 0 && errno != EEXIST) ||
-          (chmod(pathname, dir_mode) != 0) ||
           (stat(pathname, &statbuf) != 0) ||
           !(statbuf.st_mode & S_IFDIR)) {
           (void)sprintf(tempstr,
--- 232,242 ----
        /* get pathname of current directory and return to client */
  
        (void)sprintf(pathname,"%s/%s",sp_name, sys);
+       oldmask = umask(0);
        (void)mkdir(sp_name, dir_mode); /* ignore the return code */
        rc = mkdir(pathname, dir_mode); /* DON'T ignore this return code */
+       umask(oldmask);
        if((rc < 0 && errno != EEXIST) ||
           (stat(pathname, &statbuf) != 0) ||
           !(statbuf.st_mode & S_IFDIR)) {
           (void)sprintf(tempstr,
***************
*** 381,387 ****
                   ** filter with the appropriate arguments.
                     **------------------------------------------------------
                   */
!                  (void)run_ps630(new_pathname, opts);
                   }
                /*
                ** Try to match to an aliased printer
--- 382,391 ----
                   ** filter with the appropriate arguments.
                     **------------------------------------------------------
                   */
!                  (void)sprintf(tempstr,
!                       "rpc.pcnfsd: ps630 filter disabled for %s\n", pathname);
!                       msg_out(tempstr);
!                       return(PS_RES_FAIL);
                   }
                /*
                ** Try to match to an aliased printer
---------------------------------CUT HERE---------------------------------

Visit your host, monkey.org