remote_bof_cfingerd.txt

1999-09-21T00:00:00
ID PACKETSTORM:15681
Type packetstorm
Reporter Packet Storm
Modified 1999-09-21T00:00:00

Description

                                        
                                            `Subject: cfingerd 1.3.2  
To: BUGTRAQ@netspace.org   
  
  
Hi,  
  
  
there is a remote buffer over flow in cfingerd 1.3.2  
in search_fake():  
  
  
int search_fake(char *username)  
{  
char parsed[80];  
  
  
bzero(parsed, 80);  
sscanf(username, "%[^.].%*[^\r\n]\r\n", parsed);  
...  
  
  
  
called from process_username(), that is called from main:  
  
  
int main(int argc, char *argv[])  
{  
char username[100], syslog_str[200];  
...  
  
  
if (!emulated) {  
if (!fgets(username, sizeof(username), stdin)) {  
  
  
...  
/* Check the finger information coming in and return its type */  
un_type = process_username(username);  
  
  
  
see parsed[80] and username[100].  
Anyway search_illegal() is called before than search_fake()  
so only [A-z0-9] and many other char can be used in oreder to  
execute arbitrary code.  
  
  
Debian is not vulnerable because a patch fix this and other  
cfingerd weakness (i think it's an example of bad coding)  
but searching in bugtraq archive i haven't found anything.  
  
  
I take opportunity to inform that i'm developing a  
secure (i hope) finger daemon: mayfingerd. In order to  
make mayfingerd more portable i need some unprivileged  
account in hosts running *BSD, Solaris, AIX etc. Bugtraq  
readers can help me?  
  
  
I hope it will be released together with hping2 the  
next month.  
  
  
Sorry for my bad english forever :)  
  
  
have a good summer,  
antirez  
  
  
--  
Salvatore Sanfilippo antirez | md5330@mclink.it | antirez@alicom.com  
try hping: http://www.kyuzz.org/antirez antirez@seclab.com  
`