Original issue date: April 18, 1996<BR>
Last revised: December 5, 1997<BR>
Updated information for NCR Corporation.
<P>A complete revision history is at the end of this file.
<P>The CERT Coordination Center has received reports of two
vulnerabilities in the pcnfsd program (pcnfsd is also known as
rpc.pcnfsd); we have also received reports that these problems are
being exploited. These vulnerabilities are present in some
vendor-provided versions of pcnfsd and in some publicly available
versions.
<P>These two vulnerabilities were reported by Avalon Security Research
in reports entitled "pcnfsd."
<P>If you are using a vendor-supplied version of pcnfsd, please see
the vendor information in Section III.A and Appendix A. Until you can
install a patch from your vendor for these vulnerabilities, consider
using the publicly available version described in Section III.B.
<P>If you already use or plan to switch to a public version, we urge you
to use the version cited in Section III.B or install the patch described
in Section III.C. This patch has already been incorporated into the pcnfsd
version described in III.B. There are many different public domain versions
of pcnfsd, and we have not analyzed the vulnerability of those versions.
We have analyzed and fixed the problems noted in this advisory only in
the version described in III.B.
<P>We will update this advisory as we receive additional information. Please
check advisory files regularly for updates that relate to your site.
<P><HR>
<H2>I. Description</H2>
The pcnfsd program (also called rpc.pcnfsd) is an authentication and printing
program that runs on a UNIX server. There are many publicly available versions,
and several vendors supply their own version.
<P>pcnfsd supports a printing model that uses NFS to transfer files from
a client to the pcnfsd server. (Note: pcnfsd does *not* provide NFS services.)
When a client wants to print a file, it requests the path to a spool directory
from the server. The client then writes the necessary files for printing
using NFS, and informs the pcnfsd server that the files are ready for printing.
<P>pcnfsd creates a subdirectory for each of its clients using the client's
hostname, then returns this path name to the client. The returned path
name must be exported via to its clients by the NFS server. The NFS server
and the pcnfsd server may be two separate machines.
<P>The first vulnerability is that pcnfsd, which runs as root, creates
the aforementioned directories with <I>mkdir(2)</I> and then changes their
mode with <I>chmod(2)</I> to mode 777. If the target directory is replaced
with a symbolic link pointing to a restricted file or directory, the <I>mkdir(2)</I>
will fail but the <I>chmod(2)</I> will succeed. This means that the target
of the symbolic link will be mode 777.
<P>Note that pcnfsd must run as root when servicing print requests so that
it can assume the identity of the PC user when interacting with UNIX print
commands. On some systems, pcnfsd may also have to run as root so it can
read restricted files when carrying out authentication tasks.
<P>The second vulnerability is that pcnfsd calls the <I>system(3)</I> subroutine
as root, and the string passed to <I>system(3)</I> can be influenced by
the arguments given in the remote procedure call. Remote users can execute
arbitrary commands on the machine where pcnfsd runs.
<H2>II. Impact</H2>
For the first vulnerability, local users can change the permissions on
any file accessible to the local system that the root user can change.
For the second vulnerability, remote users can execute arbitrary commands
as root on the machine where pcnfsd runs.
<P>The impact is that directories can become world writable (mode 777).
What this can lead to is bounded by the creativity of the intruder. For
example, once the mode of /etc were changed to mode 777, one could then
replace the password file, and then go on from there.
<P>Exploitation of these vulnerabilities is only part of a larger attack
scenario. Once exploited, there are many pathologies that could follow.
<H2>III. Solution</H2>
If you are using pcnfsd from a vendor, consult the vendor list in Section
A. If your vendor is not listed, we recommend that you contact your vendor
directly.
<P>Until a vendor patch is available, we recommend that you obtain the
publicly available version of pcnfsd as described in Section B. This version
already has the patch described in Section C.
<P>If you are presently using a public version of pcnfsd, we recommend
that you either change to the version listed in Section B or apply the
patch described in Section C. (The version in Section B already contains
this patch.)
<H3>A. Obtain and install the appropriate patch according to the instructions included with the patch.</H3>
Below is a list of the vendors who have reported to us as of the date of
this advisory. More complete information, is provided in the appendix.
We will update the appendix as we receive more information.
<BR>If your vendor's name is not on this list, please contact the vendor
directly.
<P>
<TABLE BORDER="0" WIDTH="100%">
<TR>
<TD><U>
Vendor or Source</U></TD><TD><U> Status</U></TD>
</TR>
<TR>
<TD>BSDI BSD/OS</TD>
<TD>Vulnerable. Patch available.</TD>
</TR>
<TR>
<TD>Hewlett Packard</TD><TD> Vulnerable. Patch under development.</TD>
</TR>
<TR>
<TD> IBM AIX 3.2</TD><TD> Vulnerable. Patches available.</TD>
</TR>
<TR>
<TD>IBM AIX 4.1</TD><TD> Vulnerable. Patches available.</TD></TR>
<TR>
<TD>NCR Corporation</TD><TD> Vulnerable. Patches available.</TD>
</TR>
<TR>
<TD>NEXTSTEP</TD><TD> Vulnerable. Will be fixed
in version 4.0.<TD>
</TR>
<TR>
<TD>SCO OpenServer 5</TD><TD> Vulnerable. Patch under development.</TD>
<TR>
<TD>SC
UnixWare 2.1 </TD><TD>Vulnerable. Patch under development.</TD></TR>
<TR>
<TD>SCO
UnixWare 2.1</TD><TD> Vulnerable. Patch under development.</TD></TR>
<TR>
<TD>SGI IRIX 5.3</TD><TD> Vulnerable.
Patch under development.</TD></TR>
<TR>
<TD> SGI IRIX 6.2</TD><TD> Not vulnerable.</TD></TR>
</TABLE>
<H3>B. Until you are able to install the appropriate patch, we recommend that you obtain a version of pcnfsd from one of the following locations.</H3>
This version already has the patch mentioned in Section III.C.
<P><A HREF="ftp://ftp.cert.org/pub/tools/pcnfsd/pcnfsd.93.02.16-cert-dist.tar.Z">ftp://ftp.cert.org/pub/tools/pcnfsd/pcnfsd.93.02.16-cert-dist.tar.Z</A>
<BR><A HREF="ftp://ftp.cert.dfn.de/pub/tools/net/pcnfsd/pcnfsd.93.02.16-cert-dist.tar.Z">ftp://ftp.cert.dfn.de/pub/tools/net/pcnfsd/pcnfsd.93.02.16-cert-dist.tar.Z</A>
<P>MD5 (pcnfsd.93.02.16-cert-dist.tar.Z) =
b7af99a07dfcf24b3da3446d073f8649
<P>Build, install, and restart rpc.pcnfsd.
<BR>
<BR>Ensure that the mode of the top-level pcnfsd spool directory is 755.
In this version of pcnfsd, the top level spool directory is /usr/spool/pcnfs.
To change this to mode 755, do the following as root:
<UL>chmod 755 /usr/spool/pcnfs</UL>
<H3>C. A patch is available for the two vulnerabilities described in this advisory.</H3>
Apply the patch using the GNU patch utility or by hand as necessary. Rebuild,
reinstall, and restart rpc.pcnfsd. Set the mode of the top-level pcnfsd
spool directory to 755.
<P>For example, in the version of pcnfsd cited in Section B, the top level
spool directory is /usr/spool/pcnfs. To change this to mode 755, do the
following as root:
<UL>chmod 755 /usr/spool/pcnfs</UL>
Below is the location of a version of the patch that is an improvement
over the patch originally cited in the advisory. The modifications are
in the suspicious() function in pcnfsd_misc.c., courtesy of Sun Microsystems,
Inc.
<P>To prevent any confusion concerning the checksums, please see the file
README.pcnfsd.93.02.16-cert. Checksums are also included below:<A HREF="ftp://ftp.cert.org/pub/tools/pcnfsd/README.pcnfsd.93.02.16-cert"></A>
<P><A HREF="ftp://ftp.cert.org/pub/tools/pcnfsd/README.pcnfsd.93.02.16-cert">ftp://ftp.cert.org/pub/tools/pcnfsd/README.pcnfsd.93.02.16-cert</A>
<BR>MD5 (README.pcnfsd.93.02.16-cert) = 07c64cd714bfaab3eb3849439a615b79<A HREF="ftp://ftp.cert.org/pub/tools/pcnfsd/pcnfsd.93.02.16-cert-dist.tar.Z"></A>
<P><A HREF="ftp://ftp.cert.org/pub/tools/pcnfsd/pcnfsd.93.02.16-cert-dist.tar.Z">ftp://ftp.cert.org/pub/tools/pcnfsd/pcnfsd.93.02.16-cert-dist.tar.Z</A>
<BR>MD5 (pcnfsd.93.02.16-cert-dist.tar.Z) = dc9b50172dfba8e6f9ad0c83f0e087e8
<P>Note: When the above file is unpacked, the md5 checksum referenced in
the README.pcnfsd.93.02.16-cert matches the following:
<P>MD5 (pcnfsd.93.02.16-cert.tar) = 3a33f392d66b166cbc630275d8aba6f7<A HREF="ftp://ftp.cert.org/pub/tools/pcnfsd/pcnfsd_misc.c-diffs"></A>
<P><A HREF="ftp://ftp.cert.org/pub/tools/pcnfsd/pcnfsd_misc.c-diffs">ftp://ftp.cert.org/pub/tools/pcnfsd/pcnfsd_misc.c-diffs</A>
<BR>MD5 (pcnfsd_misc.c-diffs) = e9a83e6d540ab4683767ecf6d66dda9d<A HREF="ftp://ftp.cert.org/pub/tools/pcnfsd/pcnfsd_print.c-diffs"></A>
<P><A HREF="ftp://ftp.cert.org/pub/tools/pcnfsd/pcnfsd_print.c-diffs">ftp://ftp.cert.org/pub/tools/pcnfsd/pcnfsd_print.c-diffs</A>
<BR>MD5 (pcnfsd_print.c-diffs) = 7d9dac3c14b258e855517894e2934b14
<HR>
<H2>Appendix A: Vendor Information</H2>
Below is information we have received from vendors concerning the vulnerability
described in this advisory. If you do not see your vendor's name, please
contact the vendor directly for information.
<H3>Berkeley Software Design, Inc. (BSDI)</H3>
The problem described in these vulnerabilities is present in all versions
of BSD/OS. There is a patch (our patch number U210-007) for our 2.1 version
of BSD/OS and associated products available from our patch and ftp servers
<patches@BSDI.> or <A HREF="ftp://ftp.BSDI.COM/bsdi/patches/patches-2.1/U210-007">ftp://ftp.BSDI.COM/bsdi/patches/patches-2.1/U210-007</A>
<H3>Data Design Systems, Inc.</H3>
The Tandem NonStop Kernel (NSK) system, does NOT contain either of the
vulnerabilities cited in the advisory.
<H3>Digital Equipment Corporation</H3>
For updated information, please refer to the Digital Equipment Corporation
Vendor Bulletin #96.0383, available in<A HREF="ftp://ftp.cert.org/pub/vendors/dec/dec_96.0383"></A>
<P><A HREF="ftp://ftp.cert.org/pub/vendors/dec/dec_96.0383">ftp://ftp.cert.org/pub/vendors/dec/dec_96.0383</A>
<P>Note: Non-contract/non-warranty customers should contact local Digital
support channels for information
<BR>regarding these kits.
<P>As always, Digital urges you to periodically review your system management
and security procedures. Digital will continue to review and enhance the
security features of its products and work with customers to maintain and
improve the security and integrity of their systems.
<H3>FreeBSD Inc.</H3>
There are two seperate ways of upgrading. The patch listed below is a source
code patch, and is available from:
<P><A HREF="ftp://ftp.FreeBSD.ORG/pub/FreeBSD/FreeBSD-current/ports/net/pcnfsd/patches/patch-ad">ftp://ftp.FreeBSD.ORG/pub/FreeBSD/FreeBSD-current/ports/net/pcnfsd/patches/patch-ad</A>
<BR>MD5 (patch-ad) = 6dfdf6229632e53cb060961ac09bbd1a
<BR>
<BR>This is part of the ports collection and anyone using current revisions
of the ports system will automatically have this patch applied.
<P>You can also get a FreeBSD "package" (pre-compiled binary) from:<A HREF="ftp://ftp.FreeBSD.ORG/pub/FreeBSD/packages-current/net/pcnfsd-93.02.16.tgz"></A>
<P><A HREF="ftp://ftp.FreeBSD.ORG/pub/FreeBSD/packages-current/net/pcnfsd-93.02.16.tgz">ftp://ftp.FreeBSD.ORG/pub/FreeBSD/packages-current/net/pcnfsd-93.02.16.tgz</A>
<BR>MD5 (pcnfsd-93.02.16.tgz) = 59c54dae46d1b4fd41887877b0a7097a
<H3>Hewlett-Packard Company</H3>
<H4>1. The rpc.pcnfsd binary that ships with HP systems contains a vulnerability that could allow a user to change permissions on a restricted file or directory.</H4>
Hewlett Packard is delivering a set of operating system dependent patches
which contain a new version of rpc.pcnfsd. Accompanying each patch is a
README file which discusses the general purpose of the patch and describes
how to apply it to your system.
<P>Recommended solution:
<P>Apply one of the following patches based on your system hardware and
operating system revision:
<P>s300/s400 9.X - PHNE_7371
(rpc.pcnfsd)
<BR>s700/s800 9.X - PHNE_7072
(NFS Megapatch)
<BR>s700/s800 10.X - PHNE_7073
(NFS Megapatch)
<P>The patches described above provide a new version of the rpc.pcnfsd
executable which fixes the vulnerability.
<H4>2. The rpc.pcnfsd binary that ships with most Unix systems contains a vulnerability that could allow users to execute arbitrary commands on the machine where pcnfsd runs.</H4>
The rpc.pcnfsd daemon that ships with Hewlett Packard systems does not
make the system call that allows this vulnerability. Since HP systems are
not vulnerable - there is no fix!
<P>To subscribe to automatically receive future NEW HP Security Bulletins
please refer to information in<A HREF="ftp://ftp.cert.org/pub/vendors/hp/HP.contact_info"></A>
<P><A HREF="ftp://ftp.cert.org/pub/vendors/hp/HP.contact_info">ftp://ftp.cert.org/pub/vendors/hp/HP.contact_info</A>
<BR>
<H3>IBM Corporation</H3>
See the appropriate release below to determine your action.
<P>Until these fixes are applied, pcnfsd should be turned off and commented
out in /etc/inetd.conf.
<P>WARNING: If the line in /etc/inetd.conf has only one comment character,
it will be uncommented (and exploitable) when mknfs is run! The inetd.conf
entry must look like the following to remain turned off:
<P>## pcnfsd sunrpc_udp udp wait root /usr/sbin/rpc.pcnfsd pcnfsd 150001
1-2
<P><B>AIX 3.2</B>
<P>Apply the following fix to your system:
<BR>APAR - IX68084 (PTF - U447684 U450406)
<P>To determine if you have this PTF on your system, run the following
command:
<BR>lslpp -lB U447684 U450406
<P><B>AIX 4.1</B>
<P>Apply the following fix to your system:
<BR>APAR - IX68086
<P>To determine if you have this APAR on your system, run the following
command:
<BR>instfix -ik IX68086
<P>Or run the following command:
<BR>lslpp -h bos.net.nfs.client bos.net.nis.server
<P>Your version of bos.net.nfs.client should be 4.1.5.5 or later. Your
version of bos.net.nis.server should be 4.1.5.1 or later.
<P><B>AIX 4.2</B>
<P>Apply the following fix to your system:
<BR>APAR - IX68087
<P>To determine if you have this APAR on your system, run the following
command:
<BR>instfix -ik IX68087
<P>Or run the following command: lslpp -h bos.net.nfs.client bos.net.nis.server
<P>Your version of bos.net.nfs.client should be 4.2.1.1 or later. Your
version of bos.net.nis.server should be 4.2.1.3 or later.
<P><B>To Order</B>
<P>APARs may be ordered using Electronic Fix Distribution (via FixDist)
or from the IBM Support Center. For more information on FixDist, reference
<A HREF="http://service.software.ibm.com/aixsupport/">http://service.software.ibm.com/aixsupport/</A>
or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist".
<P>IBM and AIX are registered trademarks of International Business Machines
Corporation.
<H3>NCR Corporation</H3>
The pcnfsd binary that shipped with some older NCR MP-RAS SVR4
releases contains a vulnerability that could allow a user to change
permissions on a restricted file or directory.
<P>
NCR is delivering a set of operating system dependent patches which
contain a new version of pcnfsd. Accompanying each patch is a README
file which discusses the general purpose of the patch and describes
how to apply it to your system.
<P>Recommended solution:
<P>Apply one of the following patches based on your operating system
revision:
<P>MP-RAS 2.03.x - PNFS203 (Version after 5/24-96)<BR>
MP-RAS 3.00.x - PNFS300 (Version after 5/28-96)<BR>
MP-RAS 3.01.x and later - Not vulnerable<BR>
<P>The patches described above provide a new version of the pcnfsd
executable which fixes the vulnerability.
<H3>NEC Corporation</H3>
Some systems are vulnerable and patches are available through anonymous
FTP from ftp://ftp.meshnet.or.jp in the /pub/48pub/security directory.
<TABLE BORDER="0" WIDTH="100%">
<TR>
<TD VALIGN=TOP>UP-UX/V (Rel4.2MP)</TD>
<TD VALIGN=TOP> R5.x</TD>
<TD> NECu5s003.COM.pkg
<BR>/pub/48pub/security/up/r5/pkg
<BR>Results of sum = 3060 266
<BR>md5 = 79E626B99A55FB0DBCE6EE642874570A</TD>
</TR><TR>
<TD></TD>
<TD VALIGN=TOP> R6.x</TD>
<TD> NECu6s003.COM.pkg
<BR>/pub/48pub/security/up/r6/pkg
<BR>Results of sum = 47304 272
<BR>md5 = 9FC9E993A5AB51291BF4817D3D70FBFD
</TR>
<TR>
<TD></TD>
<TD VALIGN=TOP> R7.x</TD>
<TD>NECu7s003.COM.pkg
<BR>/pub/48pub/security/up/r7/pkg
<BR>Results of sum = 46470 291
<BR>md5 = 59CA6887078AF88EA165AFD3BF5A1374
</TR>
<TR>
<TD VALIGN=TOP>EWS-UX/V (Rel4.2)</TD>
<TD VALIGN=TOP> R7.X</TD>
<TD>NECe7s004.COM.pkg
<BR>/pub/48pub/security/ews/r7/pkg
<BR>Results of sum = 3827 194
<BR>md5 = 4D40D9258DAB7EA41C30789609818330
</TD></TR>
<TR>
<TD></TD>
<TD VALIGN=TOP>R8.x</TD>
<TD> NECe8s004.COM.pkg
<BR>/pub/48pub/security/ews/r8/pkg
<BR>Results of sum = 24399 199
<BR>md5 = 40B4CB1140791C14D1B604B6E8CB5FCB
</TD></TR>
<TR>
<TD></TD>
<TD VALIGN=TOP>R9.x<BR>(except EWS4800/110N)</TD>
<TD>NECe9s008.COM.pkg
<BR>/pub/48pub/security/ews/r9/pkg
<BR>Results of sum = 23250 203
<BR>md5 = 5AD8BED137AAE7D0067EF3120574786C
</TD></TR>
<TR>
<TD></TD>
<TD VALIGN=TOP>R9.x<BR>(EWS4800/110N)</TD>
<TD>NECe9s007.COM.pkg
<BR>/pub/48pub/security/ews/r9n/pkg
<BR>Results of sum = 3972 201
<BR>md5 = 28B2FA99F5200F81C5465571EF27E08B</TD>
</TR>
<TR>
<TD></TD>
<TD VALIGN=TOP>R10.x</TD>
<TD>NECeas004.COM.pkg
<BR>/pub/48pub/security/ews/ran/pkg
<BR>Results of sum = 51969 205
<BR>md5 = B6E12017E66DC8DC38FBE78CA1F0B0F0</TD>
</TR>
<TR>
<TD VALIGN=TOP>EWS-UX/V (Rel4.2MP)</TD>
<TD VALIGN=TOP> R10.x</TD>
<TD> NECmas007.COM.pkg
<BR>/pub/48pub/security/ews/ra/pkg
<BR>Results of sum = 48060 291
<BR>md5 = 42F8AE832071F033E21D8718A3670D76</TD>
</TR>
<TR>
<TD VALIGN=TOP>UX/480O</TD>
<TD VALIGN=TOP>R11.x</TD>
<TD>NECmbs010.COM.pkg
<BR>/pub/48pub/security/ews/rb/pkg
<BR>Results of sum = 24885 335
<BR>md5 = 7A14CBE4EA9B2470E340B5EEFD523F95
</TD>
</TR>
</TABLE>
<BR>For further information contact: <A HREF="mailto:UX48-security-support@nec.co.jp">UX48-security-support@nec.co.jp</A>
. We encourage you contact the vendor directly if you have any questions.
<H3>NeXT Software, Inc.</H3>
NEXTSTEP is vulnerable. This will be fixed in the 4.0 release of OpenStep
for Mach (aka NEXTSTEP 4.0, due out 2Q96).
<H3>Novell</H3>
CERT staff do not know whether Novell's enhanced version of PCNFSD (LWPNFSD)
is vulnerable to this problem. We encourage you contact the vendor directly
if you have any questions.
<H3>The Santa Cruz Operation, Inc.</H3>
Patches for pcnfsd are currently being developed for the following releases:
<P>SCO OpenServer 5
<BR>SCO UnixWare 2.1.
<P>These releases, as well as all prior releases, are vulnerable to both
issues mentioned in the advisory. Should you not need to use pcnfs, SCO
recommends that you not run pcnfsd. This can be done by commenting out
pcnfsd in the appropriate script that starts pcnfsd, located in /etc/rc2.d.
<P>This CERT advisory will be updated when further patch
information is available.
<H3>Silicon Graphics Corporation</H3>
pcnfsd was only released for IRIX 5.3 and IRIX 6.2.
<P>SGI is producing patch1179 for IRIX 5.3.
<P>IRIX 6.2 is not vulnerable.
<H3>Sun Microsystems, Inc.</H3>
Sun has made patches available:
<P>Solaris 2.4, 2.5 (Sparc) 103095-02
<BR>Solaris 2.4, 2.5 (X86) 103457-01
<BR>SunOS 4.1.X 103096-02
<H3>TGV Software, Inc./Cisco Systems, Inc.</H3>
These vulnerabilities are UNIX-specific and are not present in any version
of MultiNet for OpenVMS.
<P><HR>
<P>The CERT Coordination Center thanks Josh Daymont, Ben G., and Alfred
H. of Avalon Security Research for providing information for this advisory.
We thank Wolfgang Ley of DFN-CERT for his help in understanding these
problems.
<P>
<HR>
<P><HR>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1996 Carnegie Mellon University.</P>
<HR>
Revision History
<PRE>
Dec. 5, 1997 Appendix A - Added information for NCR Corporation.
Oct. 31, 1997 Updated vendor information for IBM.
Sep. 24, 1997 Updated copyright statement
Apr. 03, 1997 Minor changes: corrected a name in the acknowledgments;
indicated that CERT is now a registered service mark
Aug. 30, 1996 Information previously in the README was inserted into the
advisory.
Appendix B was moved to Sec. III.C. Appendix A - updated IBM URL
in "To Order" section.
Aug. 01, 1996 Appendix A - updated Hewlett-Packard patch information.
July 26, 1996 Appendix A - modified NEC patch information.
July 5, 1996 Appendix A - added pointer to updated vendor information
for Digital Equipment Corporation.
June 26, 1996 Appendix A - updated vendor information for NEC.
Appendix A - added vendor information for Data Design Systems, Inc.
May 8, 1996 Appendix A - added patch information for FreeBSD.
May 6, 1996 Section II -added additional clarification about the impact of
the vulnerability described.
Appendix B - replaced the patch information originally contained
in Appendix B with updated information.
Appendix A - added updates for Digital Equipment Corporation,
Novell, Sun Microsystems, Inc, and
TGV Software, Inc./Cisco Systems, Inc.
Apr. 23, 1996 Appendix A - added information from NEC Corporation.
Apr. 19, 1996 Appendix B - new information on the fix referred to in Appendix
B of the advisory.
</PRE>
|