IPS Research Team Discovers Critical Syslog Format String Vulnerability
 |
 |
 |
 |
 |
A critical format string vulnerability in the rpc.pcnfsd service within several systems was discovered by a member of the Check Point IPS Research Team. A remote attacker can leverage this vulnerability by sending a crafted RPC message to the target host, to potentially inject and execute arbitrary code.
The rpc.pcnfsd daemon handles authentication requests for mounting and for print spooling from PC-NFS (Personal Computer Network File System) clients on remote machines. Affected systems include IBM AIX 6.1.0 and earlier versions, IRIX 6.5, and HP-UX 11.11, 11.23, and 11.31. The vulnerability resides within a log function of the rpc.pcnfsd service that is triggered when parsing RPC requests. This can be exploited to cause a format string overflow via a specially crafted RPC request. Successful exploitation of this issue could allow the attacker to execute arbitrary code on an affected system.
Check Point Research and Response Centers conduct original research on network, protocol and application vulnerabilities. The Centers also actively monitor and where appropriate communicate with white, black and grayhat communities to identify vulnerabilities and potential exploits before they are introduced into the wild. Using this information, Check Point Research and Response Centers develop and disseminate defenses through relevant Update Services components.
Check Point IPS-1 has provided pre-emptive protection against this vulnerability since January 2003 and the integrated IPS products SmartDefense and the IPS Software Blade provide immediate protection in the latest IPS update by detecting and blocking malformed RPC requests. For more information, see CPAI-2010-082.
Acknowledgements go to Rodrigo Rubira Branco from the Check Point IPS Research Team for discovering and reporting this vulnerability.