[CERT-intexxia] pfinger Format String Vulnerability

2001-12-21T00:00:00
ID SECURITYVULNS:DOC:2295
Type securityvulns
Reporter Securityvulns
Modified 2001-12-21T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1


SECURITY ADVISORY INTEXXIA(c) 18 12 2001 ID #1050-181201


TITLE : pfinger Format String Vulnerability CREDITS : Guillaume Pelat / INTEXXIA


SYSTEM AFFECTED

    pfinger <= 0.7.7

DESCRIPTION

    pfinger is a  finger daemon written  in C. It is vulnerable to a

format string vulnerability.


DETAILS

    Both  client  and  server  are  vulnerable  to  a  format string

injection using for example a '.plan' file.

    Client side : the  client uses  directly  the data received from

the server as the first argument of the printf(3) function. A user could create a specially crafted '.plan' file that would be printed by the pfinger client. As a result, it could be possible to make execute arbitrary code by the client.

    Server side : if the server is configured to connect to a master

server (with the <sitehost> directive), data received from the master server are directly used as first argument in the printf(3) function. If a malicious user modifies the master to make it send crafted data, it is possible to make execute code to the vulnerable 'slave' server.

If a user has an account on the master server, he can create a crafted '.plan' file containing the format string. A simple request to the 'client' server would also exploit the server side vulnerability.

    The pfinger daemon is  launched  with  &#39;nobody&#39;  permissions  by

default. Complete exploitation of this vulnerability will permit an attacker to execute code with the 'nobody' permissions. But this flaw could be used to compromize the local system by exploiting other local vulnerabilities.


PROOF OF CONCEPT

    Here are two proofs of concept for the both sides.

Client side :

evil@test:~$ cat ~/.plan Now a little format string: %p %p %p :-) evil@test:~$

good@test:~$ finger -l evil Login Name: evil In real life: Evil Login Name Status Login time Host evil Evil active Mon 08:02 test No mail. Plan: Now a little format string: 0x8049da0 0x640 0x400a252d :-) good@test:~$

Server side :

good@test:~$ cat /etc/fingerconf <fingerconf> <sitehost>master</sitehost> </fingerconf>

evil@master:~$ cat ~/.plan Now a little format string: %p %p %p :-) evil@master:~$ telnet test 79 Trying x.x.x.x... Connected to test.lab.intexxia.com. Escape character is '^]'. /W evil Login Name: evil In real life: Evil Login Name Status Login time Host evil Evil active Mon 08:02 master No mail. Plan: Now a little format string: 0xbfbff860 0x400 0x0 :-) Connection closed by foreign host. evil@master:~$


SOLUTION

    There is an official  solution  now.  A  new  version  has  been

released which corrects this security issue. pfinger version 0.7.8 is available at :

http://www.xelia.ch/unix/pfinger/


VENDOR STATUS

    18-12-2001 : This bulletin was sent to Michael Baumer.
    19-12-2001 : pfinger  version  0.7.8  has  been  released  which
                 solves this issue.

LEGALS

    Intexxia provides this  information  as a public service and &quot;as

is". Intexxia will not be held accountable for any damage or distress caused by the proper or improper usage of these materials.

    &#40;c&#41; intexxia 2001. This  document is property  of intexxia. Feel

free to use and distribute this material as long as credit is given to intexxia and the author.


CONTACT

CERT intexxia cert@intexxia.com INTEXXIA http://www.intexxia.com 171, av. Georges Clemenceau Standard : +33 1 55 69 49 10 92024 Nanterre Cedex - France Fax : +33 1 55 69 78 80

-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPCIwdU2N8BNyNDXLEQI+MQCg9SuwuxrM3kaQVNT57trzLaPpTJQAn35u AhSwVUKGRGPoRmxqMcN1Ue/3 =OctC -----END PGP SIGNATURE-----