Security :: Advisory - efFingerD 0.2.12 Buffer overflow homepage: --------- https://sourceforge.net/projects/effingerd/ vulnerable: ----------- efFingerD 0.2.12 Impact ------ Medium Details -------- efFingerD is a simple open source finger daemon. By looking a little bit at the code i identified one buffer overflow condition. By sending as an argument to the finger command 180 characters the daemon will crash.The problem exists in sockFinger_DataArrival function. -------snip---------- Dim sData As String sockFinger(Index).GetData sData, vbString sData = Trim(Replace(sData, vbCrLf, "")) If Len(sData) > 0 Then If sData = ".version" Then sockSend Index, Replace(Localize(0), "$VERSION$", App.Major & "." & App.Minor & "." & App.Revision) ElseIf Mid(sData, 1, 1) = "." Then sockSend Index, Replace(Localize(1), "$QUERY$", sData) Else Dim sFilename As String sFilename = App.Path & "\users\" & sData If Len(Dir(sFilename & ".log")) > 0 Then <------- buffer overflow 1 ' Global Header (company, version, etc...) If Len(Dir(App.Path & "\global.hdr")) > 0 Then sockFileContents Index, App.Path & "\global.hdr" sockSend Index, "" End If ' User Header (real name, email, project, etc...) If Len(Dir(sFilename & ".hdr")) > 0 Then sockFileContents Index, sFilename & ".hdr" sockSend Index, "-----" End If ' User Plan: sockFileContents Index, sFilename & ".log" ' End of Send sockSend Index, "-----" sockSend Index, Localize(3) Else sockSend Index, Replace(Localize(2), "$QUERY$", sData) End If End If sockFinger(Index).Close End If ------snip------------- fix/workaround: --------------- I wrote a simple patch for efFingerD. Get the source code from: http://members.lycos.co.uk/r34ct/main/fixes/effingerd/source/ If you want the patched binary: http://members.lycos.co.uk/r34ct/main/fixes/effingerd/binary/ credit: ------ dr_insane@pathfinder.gr http://members.lycos.co.uk/r34ct/