[VIM] rpc.pcnfsd mess

security curmudgeon jericho at attrition.org
Sun Aug 28 21:06:17 EDT 2005

Geez this is a headache ..


pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or 
execute arbitrary commands through arguments in the RPC call.
Christey> This candidate should be SPLIT, since there are two separate
    software flaws.  One is a symlink race and the other is a
    shell metacharacter problem.

based on: http://archives.neohapsis.com/archives/bugtraq/1995_4/0124.html


rpc.pcnfsd in HP gives remote root access by changing the permissions on 
the main printer spool directory.



pr_init() Symlink File Permission Modification Privilege Escalation
run_ps630() Crafted Request Remote Command Execution


Rhino9 Security Advisory - RPC.PCNFSD VULNERABILITES

Vulnerability #1: pr_cancel - Most implementations of rpc.pcnfsd
Vulnerability #2: get_pr_status - OpenBSD is the only confirmed vulnerable OS
Vulnerability #3: mapid / auth - All implementations are vulnerable


Now followup to R9 post:

I should mention that both the RepSec and Rhino advisories document bugs
which were found and documented 2 years ago.

Both the vulnerable chmod and the su_popen functions were documented in
the CA-96.08.pcnfsd.

The mkdir bug is somewhat different, however, only because the previous
fix wasn't sufficient enough to prevent it.  The result is the same, the
ability to change arbitrary permissions to 777.  Unfortunately whoever
fixed this originally, didnt see far enough into it.

followup to RSI post:

By the way, at least the first problem has been known for a few weeks.
See ftp://ftp.cert.org/pub/cert_advisories/CA-96.08.pcnfsd (dated April
1996) for a

The confusion is Avalon didn't really do any disclosure beyond exploit 
code. RSI gave details but subsequent posts suggest RSI #1 issue is the 
same as one of the Avalon, even though some of the keywords aren't found 
in each description. Oliver's post suggests that RSI/R9 did not disclose 
anything new, but that seems like 5 distinct issues when Avalon previously 
disclosed 2?

More information about the VIM mailing list