[4041] in bugtraq
Re: buffer overflow in configurable fingerd?
daemon@ATHENA.MIT.EDU (Ken Hollis)
Wed Feb 12 19:38:44 1997
Date: Wed, 12 Feb 1997 12:39:23 -0800
Reply-To: Ken Hollis <khollis@NORTHWEST.COM>
From: Ken Hollis <khollis@NORTHWEST.COM>
X-To: M Shariful Anam <shuman@annexgrp.org>
To: BUGTRAQ@netspace.org
In-Reply-To: <Pine.LNX.3.95.970213003400.14730A-100000@eniac.kaifnet.com>
> While playing around with Ken Hollis's cfingerd 1.2.3 on Linux, I found
> out there is one or more chances of buffer overflow when reading it's
> config file, /etc/cfingerd.conf.
>
> Some strings are probably copied to variable without checking the length.
> In those situation, doing any finger from anywhere (remote/local) to the
> machine causes a SIGSEGV. Now, the potential problem is, cfingerd is
> recommended to be run as root from inetd.conf by the Author. So I think
> there might be a chance of getting a root exploit here on the machines
> running cfingerd 1.2.3
>
> Also note that, it has another program userlist, which simply lists the
> users logged in, is installted as rws--S--- root.root by default, when
> those setu/gid bits are not needed at all!
You might want to note a couple of issues that this user failed to tell
you (from lack of reading documentation):
1) userlist runs as root because it needs to get access to the said
user's directory. The reason this happens is to read a file called
".nofinger" which tells whether or not the user wants to have their
finger information displayed in a finger request. It states this in
cfingerd.1, and cfingerd.conf.1. The phrase "RTFM" comes to mind.
2) cfingerd is now up to version 1.3.2. This version fixes all of the
problems listed above. Variable length checking, root holes, and a few
other problems were resolved in this latest version.
ftp.bitgate.com:/pub/bitgate/cfingerd/cfingerd-1.3.2.tar.gz is the latest
version.
Since this is free software, and I am not getting paid for getting this
fixed, I do not appreciate getting E-Mail saying this without the user
reading the documentation ahead of time. This seems to be a problem with
a lot of end users. READ THE DOCUMENTATION, PLEASE!!! This message would
have been AVOIDED if the said user read the docs!!
So. Get the latest cfingerd. Read the documentation (it only takes a
little time, as painful as it may seem.) Write me with a LEGITIMATE bug
report instead of saying "this is my finger output, here's your bug." I
don't reply to messages without getting a legitimate bug report.
And don't send messages of this caliber to bug report sites without first
researching the problem. Thank you for your time.
-- Ken Hollis
---
----------------------------------------------------------------------
| Ken T. Hollis || Autobahn Sys Admin || Freeware/GPL Hacker |
| khollis@northwest.com || Webmaster/Hacker || Linux Net Junkie |
----------------------------------------------------------------------
^_^ -_- ;o @_@ +_+ @_@ ^_^! ;_; *^.^* q(^_^)p $_$ v_v o_O O_o p_q
