COMMAND
pcnfsd
SYSTEMS AFFECTED
Systems running pcnfsd
PROBLEM
PCNFSD supports printing in which a print job uses NFS to
transfer files from the client to the pcnfsd server. The process
works as follows:
- The client requests a path to the printer's spool directory
from the server,
- The client then writes the necessary files for printing,
- The client then informs the pcnfsd server that the files are
ready for printing,
- Pcnfsd then writes a subdirectory for the client using the
client's hostname,
- This pathname is returned to the clients via the NFS server
NOTE: The PCNFSD server and the NFS server may or may not be 2
different machines. PCNFSD runs as root. It creates the
directories w/ mkdir and then chmods them 777 (user, group, and
world readable, writeable, and executable). If the target
directory is replaced with a symbolic link pointing to a
restricted file or directory, the mkdir fails, but the chmod
still succeeds (!). The target of the symbolic link will remain
chmod 777. The intruder can then rewrite the password file and
gain root access.
PCNFSD calls the system(3) subroutine as root, and the string
passed to system can be "influenced" by arguements given in the
RPC. Remote users can execute any command on the machine where
PCNFSD runs.
SOLUTION
Obtain and install the following patched pcnfsd software:
ftp://ftp.cert.org/pub/tools/pcnfsd/pcnfsd.93.02.16-cert-dist.tar.Z
ftp://ftp.cert.dfn.de/pub/tools/net/pcnfsd/pcnfsd.93.02.16-cert-dist.tar.Z
Ensure that the mode of the top-level pcnfsd spool directory is
755.
chmod 755 /usr/spool/pcnfs
Run SecureRPC, or secure and run DCE.
Patches for AIX are as it follows:
AIX 3.2
-------
APAR - IX57623 (PTF - U442633)
APAR - IX56965 (PTF - U442638)
AIX 4.1
-------
APAR - IX57616
APAR - IX56730