Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1500
HistoryApr 13, 2001 - 12:00 a.m.

CFINGERD remote vulnerability

2001-04-1300:00:00
vulners.com
84
JSON

Hi

Following the recent habits, I break the advisory into 4 parts:

OVERVIEW:

There is a critical bug in cfingerd daemon <= 1.4.3, (a classic format
bug)
that makes possible to acquire full control over the remote machine if it
runs
the cfingerd program, the configurable and secure finger daemon.
In 3 words: REMOTE ROOT VULNERABILITY

DESCRIPTION:

The bug occurs in main.c, line 245, 258 and 268:
<------ syslog(LOG_NOTICE, (char *) syslog_str);
We can control the syslog_str with our ident user, that goes directly to
the secont parameter of syslog(). Using %n and some tricks, we can overwrite
anything in the daemon's memory, including the saved eip register.
The more or less proper usage of syslog this time is here:
------> syslog(LOG_NOTICE, "%s", (char *) syslog_str);
There are many papers about format bugs, so I don't write detailed infos
about it.

EXPLOITATION:

Exploiting it is a bit tricky because we use another bug in the code. The
ident reply is something like this:
3478, 79 : UNIX : USERID : username
If the username is more than 64 bytes, cfingerd logs some strange string:
[64b username]3478, 79 : UNIX : USERID : [64b username][rest of the
username]

The following code is responsible of this strange behaviour:

for (xp=uname; *cp != '\0' &&
*cp!='\r'&&*cp!='\n'&&strlen(uname)<sizeof(uname); cp++)
*(xp++) = *cp;

You can see that no space is left for the string terminating '\0'
character,
so the next local variable which is the line that was read from identd will
also be returned as the end of the username. Ex.:

The fake identd sends:
[120 B's] : : :[64 A's]
the username that is returned by get_rfc1413_data() will be:
[64 A's][120 B's] : : :…

Then an snprintf cuts the string that will go to syslog() allowing only
200
bytes to pass. If the username is one byte, we will have 183 bytes we can
control there. ("a fingered from username@host") where host doesn't have
place,
so it won't get into syslog(). (another sechole).

Now we have a method to send 183 bytes to syslog(). We have to find out
some
basic variables to be able to exploit this, which we can bruteforce easily
one-by-one.
(details in "fingex" exploit…)

FIX:

The attached patch will fix the four bugs: 3 syslog() bugs and the bug
that
allows anybody to send long usernames to syslog() so the hostname wouldn't
get
there.

To make a bugfixed source tree save the diff as cfingerd-1.4.3.diff and do:

wget
http://www.infodrom.ffis.de/projects/cfingerd/download/cfingerd-1.4.3.tar.gz
tar xfz cfingerd-1.4.3.tar.gz
cat cfingerd-1.4.3.diff | patch -p0

and the source tree is free of this bug.

please update your cfingerd'z as soon as possible.

Bye
Megyer Laszlo (Lez)
[email protected]

JSON