mailing list archives
Re: pcnfsd ...
From: markz () REPSEC COM (Mark Zielinski)
Date: Wed, 14 Oct 1998 14:49:04 -0700
On Tue, 13 Oct 1998, ga wrote:
I didn't succeed to use the ps630() hole explained in rep sec advisory
(same as pr_cancel() phf-like bug). It's because pcnfsd_print.c checks
if the file really exists (and then tries to rename it with the .spl
extension). Therefore, if the file doesn't exist then an error is
returned. However, if a local user creates a filename in the
/var/spool/pcnfs directory which is in fact the command to execute (ex :
/var/spool/pcnfs/FILENAME\nwhoami\nBLAH) then ps630() will work indeed,
executing the command as root). I didn't tried it though.
The way to remotely exploit the ps630 function is by tricking pcnfsd
into detecting a file, which will then allow you to get to the vulnerable
You can do this by sending a '.', which will be there.
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----
DU 4.0D cdfs bug : xcd eject CDROM, even mounted. Alexis POLOZOV (Oct 09)