[10927] in bugtraq
cfingerd 1.3.2
daemon@ATHENA.MIT.EDU (Salvatore Sanfilippo -antirez-)
Fri Jul 2 14:19:41 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990702001126.A2480@mclink.it>
Date: Fri, 2 Jul 1999 00:11:26 +0200
Reply-To: md5330@mclink.it
From: Salvatore Sanfilippo -antirez- <md5330@MCLINK.IT>
To: BUGTRAQ@NETSPACE.ORG
Hi,
there is a remote buffer over flow in cfingerd 1.3.2
in search_fake():
int search_fake(char *username)
{
char parsed[80];
bzero(parsed, 80);
sscanf(username, "%[^.].%*[^\r\n]\r\n", parsed);
...
called from process_username(), that is called from main:
int main(int argc, char *argv[])
{
char username[100], syslog_str[200];
...
if (!emulated) {
if (!fgets(username, sizeof(username), stdin)) {
...
/* Check the finger information coming in and return its type */
un_type = process_username(username);
see parsed[80] and username[100].
Anyway search_illegal() is called before than search_fake()
so only [A-z0-9] and many other char can be used in oreder to
execute arbitrary code.
Debian is not vulnerable because a patch fix this and other
cfingerd weakness (i think it's an example of bad coding)
but searching in bugtraq archive i haven't found anything.
I take opportunity to inform that i'm developing a
secure (i hope) finger daemon: mayfingerd. In order to
make mayfingerd more portable i need some unprivileged
account in hosts running *BSD, Solaris, AIX etc. Bugtraq
readers can help me?
I hope it will be released together with hping2 the
next month.
Sorry for my bad english forever :)
have a good summer,
antirez
--
Salvatore Sanfilippo antirez | md5330@mclink.it | antirez@alicom.com
try hping: http://www.kyuzz.org/antirez antirez@seclab.com
