CVE-1999-0078
CVSS1.9
发布时间 :1996-04-18 00:00:00
修订时间 :2008-09-09 08:33:40
NMCOS    

[原文]pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call.


[CNNVD]多家厂商rpc.pcnfsd远程可执行任意命令漏洞(CNNVD-199604-003)

        
        rpc.pcnfsd是一个在网络上提供认证和打印服务的RPC守护进程,被运行在大量Unix类操作系统上。
        某些版本的rpc.pcnfsd实现上存在输入验证漏洞,远程攻击者可能利用此漏洞在主机上以root用户的权限执行任意命令。
        某些版本的rpc.pcnfsd对用户提供的RPC调用参数值未做充分检查,就交给system()调用去执行,远程攻击者可能构造特别的参数值给rpc.pcnfsd守护进程,由于rpc.pcnfsd默认以root用户身份执行,因此攻击者可能以root用户权限远程执行任意命令。
        

- CVSS (基础分值)

CVSS分值: 1.9 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:ncr:mp-ras:2.03
cpe:/o:freebsd:freebsd:6.2:stable
cpe:/o:sun:solaris:2.5
cpe:/o:sco:unixware:2.1
cpe:/o:nec:up-ux_vNEC UP-UX_V
cpe:/o:next:nextstep
cpe:/o:sco:openserver:5
cpe:/a:ncr:mp-ras:3.0
cpe:/o:sgi:irix:5.3SGI IRIX 5.3
cpe:/o:sun:sunos:4.1Sun SunOS 4.1
cpe:/o:ibm:aix:3.2IBM AIX 3.2
cpe:/o:ibm:aix:4.1IBM AIX 4.1
cpe:/o:sun:solaris:2.4
cpe:/o:ibm:aix:4.2IBM AIX 4.2
cpe:/a:ncr:mp-ras:3.01
cpe:/o:bsdi:bsd_os
cpe:/o:hp:hp-uxHP-UX family of operating systems

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0078
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0078
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199604-003
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

多家厂商rpc.pcnfsd远程可执行任意命令漏洞
低危 输入验证
1996-04-18 00:00:00 2007-07-13 00:00:00
远程  
        
        rpc.pcnfsd是一个在网络上提供认证和打印服务的RPC守护进程,被运行在大量Unix类操作系统上。
        某些版本的rpc.pcnfsd实现上存在输入验证漏洞,远程攻击者可能利用此漏洞在主机上以root用户的权限执行任意命令。
        某些版本的rpc.pcnfsd对用户提供的RPC调用参数值未做充分检查,就交给system()调用去执行,远程攻击者可能构造特别的参数值给rpc.pcnfsd守护进程,由于rpc.pcnfsd默认以root用户身份执行,因此攻击者可能以root用户权限远程执行任意命令。
        

- 公告与补丁

        厂商补丁:
        HP
        --
        HP已经为此发布了一个安全公告(HPSBUX9902-091)以及相应补丁:
        HPSBUX9902-091:Security Vulnerability with rpc.pcnfsd
        链接:
        版本对应的补丁号:
        HP-UX 10.01 PHNE_17248
        HP-UX 10.10 PHNE_17248
        HP-UX 10.20 PHNE_17098
        HP-UX 11.00 PHNE_16470
        您可以在HP的ftp站下载上述补丁:
        ftp://us-ffs.external.hp.com/hp-ux_patches
        补丁安装方法:
         1. 在安装补丁之前备份系统。
         2. 以root身份登录。
        
         3. 把patch复制到/tmp目录。
        
         4. 转到/tmp目录unshar补丁程序:
        
         cd /tmp
         sh PHCO_xxxxxx
        
         5a. 对一个单独的系统,运行swinstall来安装补丁:
        
         swinstall -x autoreboot=true -x match_target=true \
         -s /tmp/PHCO_xxxxx.depot
        
         默认情况下会把原来的软件备份到/var/adm/sw/patch/PHCO_xxxxx目录下。如果你不希望保留一个备份,可以创建一个空文件/var/adm/sw/patch/PATCH_NOSAVE,这样系统就不会再保留备份了。
        
         警告:当安装补丁的时候这个文件存在,补丁安装以后就不能卸载了,使用这个功能的时候必须小心。
        SGI
        ---
        SGI已经为此发布了一个安全公告(20020802-01-I)以及相应补丁:
        20020802-01-I:rpc.pcnfsd vulnerabilities
        链接:ftp://patches.sgi.com/support/free/security/advisories/20020802-01-I
        SGI不再为pcnfsd软件包提供补丁,建议按照如下步骤删除此软件:
         $ su -
         # versions remove pcnfsd
        执行以上操作以后不需要重启系统,但你必须在/etc/exports文件删除/var/spool/pcnfs行并且删除/var/spool/pcnfs目录:
         # exportfs -u /var/spool/pcnfs
         # rmdir /var/spool/pcnfs
         # cp /etc/exports /etc/exports.OLD
         # sed '\/var\/spool\/pcnfs/d' /etc/exports > /tmp/tmpfile; mv /tmp/tmpfile /etc/exports

- 漏洞信息

5743
Multiple Unix Vendor rpc.pcnfsd Multiple Function su_popen() Arbitrary Remote Command Execution
Remote / Network Access Input Manipulation
Loss of Confidentiality, Loss of Integrity

- 漏洞描述

pcnfs.d contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered during normal operation when file permissions are changed on a symbolic link to a restricted directory. The impact is that directories can become world writable.

- 时间线

1994-12-19 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, consult your vendor for a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor PCNFSD Remote Command Execution Vulnerability
Input Validation Error 5378
Yes No
1996-04-18 12:00:00 2009-07-11 02:56:00
Credit is given to Josh Daymont, Ben G., and Alfred H. of Avalon Security Research.

- 受影响的程序版本

Sun SunOS 4.1.4
Sun SunOS 4.1.3
Sun SunOS 4.1.2
Sun SunOS 4.1.1
Sun SunOS 4.1
Sun Solaris 2.5_x86
Sun Solaris 2.5
Sun Solaris 2.4_x86
Sun Solaris 2.4
SGI IRIX 6.5.16
SGI IRIX 6.5.15
SGI IRIX 6.5.14
SGI IRIX 6.5.13
SGI IRIX 6.5.12
SGI IRIX 6.5.11
SGI IRIX 6.5.10
SGI IRIX 6.5.9
SGI IRIX 6.5.8
SGI IRIX 6.5.7
SGI IRIX 6.5.6
SGI IRIX 6.5.5
SGI IRIX 6.5.4
SGI IRIX 6.5.3
SGI IRIX 6.5.2
SGI IRIX 6.5.1
SGI IRIX 6.5
SCO Unixware 2.1
SCO Unixware 2.0.3
SCO Unixware 2.0
SCO Open Server 5.0
IBM AIX 4.2
IBM AIX 4.1
IBM AIX 4.0
IBM AIX 3.2
HP HP-UX 11.0
HP HP-UX 10.20
HP HP-UX 10.10
HP HP-UX 10.1 0
BSDI BSD/OS 2.1

- 漏洞讨论

pcnfsd, also known as rpc.pcnfsd, is a daemon able to handle authentication and printing over the network. It is available for a wide range of Unix based operating systems.

A vulnerability in some versions of pcnfsd may allow a remote attacker to execute arbitrary commands as the server process. An attacker able to exploit this vulnerability may gain local access to the vulnerable system. pcnfsd normally runs with root privileges.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

SGI has advised that administrators uninstall the pcnfsd package from IRIX systems. SGI no longer supports the pcnfs package. An updated version has, however, been made available by the SGI Freeware volunteer team:

http://freeware.sgi.com/index-by-alpha.html

Some vendor fixes are available. Details are available in the referenced CERT advisory CA-1996-08.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站