OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: cfingerd 1.3.2

cfingerd 1.3.2

Salvatore Sanfilippo -antirez- (md5330mclink.it)
Fri, 2 Jul 1999 00:11:26 +0200

Hi,

        there is a remote buffer over flow in cfingerd 1.3.2
        in search_fake():

int search_fake(char *username)
{
    char parsed[80];

    bzero(parsed, 80);
    sscanf(username, "%[^.].%*[^\r\n]\r\n", parsed);
...

called from process_username(), that is called from main:

int main(int argc, char *argv[])
{
    char username[100], syslog_str[200];
...

    if (!emulated) {
        if (!fgets(username, sizeof(username), stdin)) {

...
    /* Check the finger information coming in and return its type */
    un_type = process_username(username);

        see parsed[80] and username[100].
        Anyway search_illegal() is called before than search_fake()
        so only [A-z0-9] and many other char can be used in oreder to
        execute arbitrary code.

        Debian is not vulnerable because a patch fix this and other
        cfingerd weakness (i think it's an example of bad coding)
        but searching in bugtraq archive i haven't found anything.

        I take opportunity to inform that i'm developing a
        secure (i hope) finger daemon: mayfingerd. In order to
        make mayfingerd more portable i need some unprivileged
        account in hosts running *BSD, Solaris, AIX etc. Bugtraq
        readers can help me?

        I hope it will be released together with hping2 the
        next month.

        Sorry for my bad english forever :)

have a good summer,
antirez 

--
Salvatore Sanfilippo antirez | md5330mclink.it | antirezalicom.com
try hping: http://www.kyuzz.org/antirez           antirezseclab.com

This archive was generated by hypermail 2.0b3 on Thu Jul 01 1999 - 20:42:35 CDT