Remote buffer overflow in cfingerd 1.3.2
f453430c34ffe6e9dc571d498c52f917c4d87fd65d60b9b5b36a1063a0b193a1
Subject: cfingerd 1.3.2
To: BUGTRAQ@netspace.org
Hi,
there is a remote buffer over flow in cfingerd 1.3.2
in search_fake():
int search_fake(char *username)
{
char parsed[80];
bzero(parsed, 80);
sscanf(username, "%[^.].%*[^\r\n]\r\n", parsed);
...
called from process_username(), that is called from main:
int main(int argc, char *argv[])
{
char username[100], syslog_str[200];
...
if (!emulated) {
if (!fgets(username, sizeof(username), stdin)) {
...
/* Check the finger information coming in and return its type */
un_type = process_username(username);
see parsed[80] and username[100].
Anyway search_illegal() is called before than search_fake()
so only [A-z0-9] and many other char can be used in oreder to
execute arbitrary code.
Debian is not vulnerable because a patch fix this and other
cfingerd weakness (i think it's an example of bad coding)
but searching in bugtraq archive i haven't found anything.
I take opportunity to inform that i'm developing a
secure (i hope) finger daemon: mayfingerd. In order to
make mayfingerd more portable i need some unprivileged
account in hosts running *BSD, Solaris, AIX etc. Bugtraq
readers can help me?
I hope it will be released together with hping2 the
next month.
Sorry for my bad english forever :)
have a good summer,
antirez
--
Salvatore Sanfilippo antirez | md5330@mclink.it | antirez@alicom.com
try hping: http://www.kyuzz.org/antirez antirez@seclab.com