cfingerd local vulnerability (possibly root)

From: Steven Van Acker (deepstarat_private)
Date: Thu Jun 21 2001 - 13:53:46 PDT

Next message: James Babiak: "Recent OpenBSD 2.8/2.9 Exploit - stephanie patched kernels unaffected"

Previous message: Kris Kennaway: "Re: suid scotty (ntping) overflow (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I sent this mail 2 weeks ago, but still didn't receive a reply.
Neither did the cfingerd authors change anything on their
site (http://www.infodrom.ffis.de/projects/cfingerd/).
So I will do my duty and report this on bugtraq.

I didn't check versions prior to cfingerd 1.4.3, but I suppose they are vulnerable as well.

A quick fix is to disable the ALLOW_LINE_PARSING option.

I attached my mail to the maintainer of cfingerd, at the end of this mail.

greets,
-- Steven

---------- Forwarded message ----------
Date: Thu, 7 Jun 2001 09:22:59 +0200 (CEST)
From: Steven Van Acker <deepstarat_private>
To: joeyat_private
Subject: cfingerd bug(s)

Hi,

I hope this is the right address because I couldn't find any other one.

When the option ALLOW_LINE_PARSING is set (and this seems to be by default,
each user can specify what cfingerd returns to the querying person.
The problem is situated in util.c, line 181-182:

  while((line[pos] != ' ') && (!done)) {
      command[newpos] = line[pos];

This while loop does not check whether the end of the buffer "command" has been reached.
(The buffer is 80 chars long.)

This leads to a buffer overflow.
Even more alarming is that it can lead to a local root exploit, because cfingerd is allowed to run as root,
and it doesn't seem to drop the privileges when it performs that while loop. (Correct me if I'm wrong,
I didn't really check thoroughly because I have to study for my exams.)

$<80 chars><displine><5*sizeof(int)><ebp><eip>

By inserting this in ~/.nofinger , and storing the shellcode in the 80 chars buffer,
it is possible to execute usersupplied code.
The value of displine is required because of the free(displine) on line 303.

This value can be determined by another bug in the same file at line 301:

  printf(displine);

Which is a standard format string bug.

$center %s %p

By inserting this into ~/.nofinger, the second value printed will be the address of displine.

Of course, this format string bug could be exploited as well, but it's more difficult than the one above.

To fix this (you probably know it already):

on line 181:
  while((newpos < 80) && (line[pos] != ' ') && (!done)) {
        ^^^^^^^^^^^^^^^^^

on line 301:
  printf("%s",displine);
         ^^^^^

I hope this can help you.

Greets,
-- Steven Van Acker <deepstarat_private>

--
"Nuclear war can ruin your whole compile."
		-- Karl Lehenbauer

Next message: James Babiak: "Recent OpenBSD 2.8/2.9 Exploit - stephanie patched kernels unaffected"
Previous message: Kris Kennaway: "Re: suid scotty (ntping) overflow (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 22 2001 - 12:08:43 PDT