-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
SECURITY ADVISORY INTEXXIA(c) 18 12 2001 ID #1050-181201
TITLE : pfinger Format String Vulnerability CREDITS : Guillaume Pelat / INTEXXIA
pfinger <= 0.7.7
pfinger is a finger daemon written in C. It is vulnerable to a
format string vulnerability.
Both client and server are vulnerable to a format string
injection using for example a '.plan' file.
Client side : the client uses directly the data received from
the server as the first argument of the printf(3) function. A user could create a specially crafted '.plan' file that would be printed by the pfinger client. As a result, it could be possible to make execute arbitrary code by the client.
Server side : if the server is configured to connect to a master
server (with the <sitehost> directive), data received from the master server are directly used as first argument in the printf(3) function. If a malicious user modifies the master to make it send crafted data, it is possible to make execute code to the vulnerable 'slave' server.
If a user has an account on the master server, he can create a crafted '.plan' file containing the format string. A simple request to the 'client' server would also exploit the server side vulnerability.
The pfinger daemon is launched with 'nobody' permissions by
default. Complete exploitation of this vulnerability will permit an attacker to execute code with the 'nobody' permissions. But this flaw could be used to compromize the local system by exploiting other local vulnerabilities.
Here are two proofs of concept for the both sides.
Client side :
evil@test:~$ cat ~/.plan Now a little format string: %p %p %p :-) evil@test:~$
good@test:~$ finger -l evil Login Name: evil In real life: Evil Login Name Status Login time Host evil Evil active Mon 08:02 test No mail. Plan: Now a little format string: 0x8049da0 0x640 0x400a252d :-) good@test:~$
Server side :
good@test:~$ cat /etc/fingerconf <fingerconf> <sitehost>master</sitehost> </fingerconf>
evil@master:~$ cat ~/.plan Now a little format string: %p %p %p :-) evil@master:~$ telnet test 79 Trying x.x.x.x... Connected to test.lab.intexxia.com. Escape character is '^]'. /W evil Login Name: evil In real life: Evil Login Name Status Login time Host evil Evil active Mon 08:02 master No mail. Plan: Now a little format string: 0xbfbff860 0x400 0x0 :-) Connection closed by foreign host. evil@master:~$
There is an official solution now. A new version has been
released which corrects this security issue. pfinger version 0.7.8 is available at :
18-12-2001 : This bulletin was sent to Michael Baumer. 19-12-2001 : pfinger version 0.7.8 has been released which solves this issue.
Intexxia provides this information as a public service and "as
is". Intexxia will not be held accountable for any damage or distress caused by the proper or improper usage of these materials.
(c) intexxia 2001. This document is property of intexxia. Feel
free to use and distribute this material as long as credit is given to intexxia and the author.
CERT intexxia firstname.lastname@example.org INTEXXIA http://www.intexxia.com 171, av. Georges Clemenceau Standard : +33 1 55 69 49 10 92024 Nanterre Cedex - France Fax : +33 1 55 69 78 80
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPCIwdU2N8BNyNDXLEQI+MQCg9SuwuxrM3kaQVNT57trzLaPpTJQAn35u AhSwVUKGRGPoRmxqMcN1Ue/3 =OctC -----END PGP SIGNATURE-----