多家厂商rpc.pcnfsd服务整数溢出漏洞

受影响系统:

HP HP-UX 11.31
HP HP-UX 11.23
HP HP-UX 11.11
IBM AIX 6.1
SGI IRIX 6.5

描述:
rpc.pcnfsd是一个在网络上提供认证和打印服务的RPC守护进程,被运行在大量Unix类操作系统上。

多个厂商的Unix系统中所使用的rpc.pcnfsd服务在处理RPC请求时存在整数溢出漏洞。远程攻击者可以通过发送特制的rpc请求导致调用_msgout()函数,而该函数未经格式串检查便调用syslog()函数记录错误。以下是pcnfsd_print.c文件中有漏洞的代码段:

psrstat pr_start2(system, pr, user, fname, opts, id)


…            

if (rename(pathname, new_pathname))
                  
{
/*
          
**—————————————————————
                  
** Should never happen.    
          
**—————————————————————
          
*/
                  
(void)sprintf(tempstr, "rpc.pcnfsd: spool file rename (%s->%s) failed.\n",
                                                pathname, new_pathname);
                
msg_out(tempstr);                        <—- Vuln Function with our input

form pcnfsd_xdr.c

static
_msgout(msg)                                                                          \
  char *msg;
{
#ifdef RPC_SVC_FG
                if (_rpcpmstart)
                                syslog(LOG_ERR, msg);                <—- Problem here!
else
                                (void) fprintf(stderr, "%s\n", msg);
#else
                syslog(LOG_ERR, msg);                                <—- Problem here!
#endif
                return(0);
}

<*来源:Rodrigo Rubira Branco (rodrigo@risesecurity.org
  
  链接:
http://secunia.com/advisories/39911/
        http://marc.info/?l=bugtraq&m=127448192202799&w=2
        http://www.checkpoint.com/defense/advisories/public/2010/cpai-13-May.html
        http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=5088
        http://www.auscert.org.au/render.html?it=12819&template=1
*>

建议:

厂商补丁:

HP

HP已经为此发布了一个安全公告(HPSBUX02523)以及相应补丁:
HPSBUX02523:SSRT100036 rev.1 – HP-UX Running ONCPlus, Remote Denial of Service (DoS), Increase in Privilege
链接:
http://www.auscert.org.au/render.html?it=12819&template=1

IBM

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://aix.software.ibm.com/aix/efixes/security/pcnfsd_fix.tar

发表评论?

0 条评论。

发表评论