Type packetstorm
Reporter Packet Storm
Modified 1999-09-21T00:00:00


                                            `Subject: cfingerd 1.3.2  
there is a remote buffer over flow in cfingerd 1.3.2  
in search_fake():  
int search_fake(char *username)  
char parsed[80];  
bzero(parsed, 80);  
sscanf(username, "%[^.].%*[^\r\n]\r\n", parsed);  
called from process_username(), that is called from main:  
int main(int argc, char *argv[])  
char username[100], syslog_str[200];  
if (!emulated) {  
if (!fgets(username, sizeof(username), stdin)) {  
/* Check the finger information coming in and return its type */  
un_type = process_username(username);  
see parsed[80] and username[100].  
Anyway search_illegal() is called before than search_fake()  
so only [A-z0-9] and many other char can be used in oreder to  
execute arbitrary code.  
Debian is not vulnerable because a patch fix this and other  
cfingerd weakness (i think it's an example of bad coding)  
but searching in bugtraq archive i haven't found anything.  
I take opportunity to inform that i'm developing a  
secure (i hope) finger daemon: mayfingerd. In order to  
make mayfingerd more portable i need some unprivileged  
account in hosts running *BSD, Solaris, AIX etc. Bugtraq  
readers can help me?  
I hope it will be released together with hping2 the  
next month.  
Sorry for my bad english forever :)  
have a good summer,  
Salvatore Sanfilippo antirez | |  
try hping: