[VIM] rpc.pcnfsd mess
jericho at attrition.org
Sun Aug 28 21:06:17 EDT 2005
Geez this is a headache ..
pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or
execute arbitrary commands through arguments in the RPC call.
Christey> This candidate should be SPLIT, since there are two separate
software flaws. One is a symlink race and the other is a
shell metacharacter problem.
based on: http://archives.neohapsis.com/archives/bugtraq/1995_4/0124.html
rpc.pcnfsd in HP gives remote root access by changing the permissions on
the main printer spool directory.
pr_init() Symlink File Permission Modification Privilege Escalation
run_ps630() Crafted Request Remote Command Execution
Rhino9 Security Advisory - RPC.PCNFSD VULNERABILITES
Vulnerability #1: pr_cancel - Most implementations of rpc.pcnfsd
Vulnerability #2: get_pr_status - OpenBSD is the only confirmed vulnerable OS
Vulnerability #3: mapid / auth - All implementations are vulnerable
Now followup to R9 post:
I should mention that both the RepSec and Rhino advisories document bugs
which were found and documented 2 years ago.
Both the vulnerable chmod and the su_popen functions were documented in
The mkdir bug is somewhat different, however, only because the previous
fix wasn't sufficient enough to prevent it. The result is the same, the
ability to change arbitrary permissions to 777. Unfortunately whoever
fixed this originally, didnt see far enough into it.
followup to RSI post:
By the way, at least the first problem has been known for a few weeks.
See ftp://ftp.cert.org/pub/cert_advisories/CA-96.08.pcnfsd (dated April
1996) for a
The confusion is Avalon didn't really do any disclosure beyond exploit
code. RSI gave details but subsequent posts suggest RSI #1 issue is the
same as one of the Avalon, even though some of the keywords aren't found
in each description. Oliver's post suggests that RSI/R9 did not disclose
anything new, but that seems like 5 distinct issues when Avalon previously
More information about the VIM