OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Spybreak (spybreakhost.sk)
Date: Wed Mar 06 2002 - 03:17:31 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Release : 6/3/2002
    Author : Spybreak (spybreakhost.sk)
    Software: efingerd
    Versions: 1.3, 1.6.1
    Problems: Remote buffer overflow and a dangerous feature

    Efingerd is a "finger daemon, giving you complete control over what are
    you going to display about your computer" as is written in the man page.
    However this is not completely true, as any local user can (even
    unintentionally)
    expose more info than was originally intended by an admin.

    Debian Linux distributes versions 1.3 (stable) and 1.6.1 (unstable).

    1.) Remote buffer overflow

    In the stable version it is possible to remotely cause a buffer overflow
    condition
    through an exploitation of a reverse-lookup part of the code:

    static char *lookup_addr (struct in_addr in)
    {
            static char addr[100];
            struct hostent *he;

            if (resolve_addr) {
                    he = gethostbyaddr ((char *)&in, sizeof(struct
    in_addr),AF_INET);
                    if (he == NULL)
                            strcpy(addr, inet_ntoa(in));
                    else
                            strcpy(addr, he->h_name);
            }
            else
                    strcpy (addr, inet_ntoa (in));

            return addr;
    }

    Usually efingerd runs as 'nobody'.

    2.) The feature

    But there is another security issue with efingerd (in both versions).
    When some existing user is fingered, efingerd looks for a ".efingerd" file
    in that user's home directory and if it does exist and it is executable it
    tries to execute it - as 'nobody'. The .efingerd's output is sent back to
    the fingerer.

    So _whatever_ a local user puts in his .efingerd file, can be executed under
    nobody UID/GID simply by fingering himself. So getting a nobody/nobody shell
    is straighforward.
    This can be very interesting for a potential evildoer going to hide his
    identity during some nasty actions, for example local DoS attacks.
    As the logfile is writable by the UID of efingerd, it can be easily
    manipulated.

    This feature can be turned off with the -u option.