Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Megyer Laszlo (abullaFREEMAIL.HU)
Date: Wed Apr 11 2001 - 13:02:34 CDT
Following the recent habits, I break the advisory into 4 parts:
There is a critical bug in cfingerd daemon <= 1.4.3, (a classic format
that makes possible to acquire full control over the remote machine if it
the cfingerd program, the configurable and secure finger daemon.
In 3 words: REMOTE ROOT VULNERABILITY
The bug occurs in main.c, line 245, 258 and 268:
<------ syslog(LOG_NOTICE, (char *) syslog_str);
We can control the syslog_str with our ident user, that goes directly to
the secont parameter of syslog(). Using %n and some tricks, we can overwrite
anything in the daemon's memory, including the saved eip register.
The more or less proper usage of syslog this time is here:
------> syslog(LOG_NOTICE, "%s", (char *) syslog_str);
There are many papers about format bugs, so I don't write detailed infos
Exploiting it is a bit tricky because we use another bug in the code. The
ident reply is something like this:
3478, 79 : UNIX : USERID : username
If the username is more than 64 bytes, cfingerd logs some strange string:
[64b username]3478, 79 : UNIX : USERID : [64b username][rest of the
The following code is responsible of this strange behaviour:
for (xp=uname; *cp != '\0' &&
*(xp++) = *cp;
You can see that no space is left for the string terminating '\0'
so the next local variable which is the line that was read from identd will
also be returned as the end of the username. Ex.:
The fake identd sends:
[120 B's] : : :[64 A's]
the username that is returned by get_rfc1413_data() will be:
[64 A's][120 B's] : : :...
Then an snprintf cuts the string that will go to syslog() allowing only
bytes to pass. If the username is one byte, we will have 183 bytes we can
control there. ("a fingered from usernamehost") where host doesn't have
so it won't get into syslog(). (another sechole).
Now we have a method to send 183 bytes to syslog(). We have to find out
basic variables to be able to exploit this, which we can bruteforce easily
(details in "fingex" exploit..)
---- The attached patch will fix the four bugs: 3 syslog() bugs and the bug that allows anybody to send long usernames to syslog() so the hostname wouldn't get there.
To make a bugfixed source tree save the diff as cfingerd-1.4.3.diff and do:
wget http://www.infodrom.ffis.de/projects/cfingerd/download/cfingerd-1.4.3.tar.gz tar xfz cfingerd-1.4.3.tar.gz cat cfingerd-1.4.3.diff | patch -p0
and the source tree is free of this bug.
please update your cfingerd'z as soon as possible.
Bye Megyer Laszlo (Lez) abullafreemail.hu
- text/plain attachment: The exploit
- text/plain attachment: cfingerd-1.4.3.diff