[CERT-intexxia] pfinger Format String Vulnerability

From: Benoīt Roussel (benoit.rousselat_private)
Date: Thu Dec 20 2001 - 10:39:52 PST

Next message: David Litchfield: "Buffer Overflow in Oracle 9iAS (#NISR20122001)"

Previous message: Tom Micklovitch: "MSIE DoS Using javascript"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________
SECURITY ADVISORY                                            INTEXXIA(c)
18 12 2001                                               ID #1050-181201
________________________________________________________________________
TITLE   : pfinger Format String Vulnerability
CREDITS : Guillaume Pelat / INTEXXIA
________________________________________________________________________


SYSTEM AFFECTED
===============

        pfinger <= 0.7.7


________________________________________________________________________


DESCRIPTION
===========

        pfinger is a  finger daemon written  in C. It is vulnerable to a
format string vulnerability.


________________________________________________________________________


DETAILS
=======

        Both  client  and  server  are  vulnerable  to  a  format string
injection using for example a '.plan' file.

        Client side : the  client uses  directly  the data received from
the server as the first argument of the printf(3) function. A user could
create a  specially crafted  '.plan' file  that would  be printed by the
pfinger client. As a  result, it  could  be  possible  to  make  execute
arbitrary code by the client.

        Server side : if the server is configured to connect to a master
server (with  the <sitehost>  directive), data  received from the master
server are directly used as first argument in the printf(3) function. If
a malicious user modifies the master to make it send crafted data, it is
possible to make execute code to the vulnerable 'slave' server.

If a user  has an account  on the master server, he can create a crafted
'.plan'  file  containing the  format string.  A simple  request to  the
'client' server would also exploit the server side vulnerability.

        The pfinger daemon is  launched  with  'nobody'  permissions  by
default. Complete  exploitation of this  vulnerability  will  permit  an
attacker to execute code  with the  'nobody' permissions.  But this flaw
could be used to compromize  the local system by  exploiting other local
vulnerabilities.


________________________________________________________________________


PROOF OF CONCEPT
================

        Here are two proofs of concept for the both sides.

Client side :

evil@test:~$ cat ~/.plan 
Now a little format string: %p %p %p :-)
evil@test:~$ 

good@test:~$ finger -l evil
Login Name: evil                In real life: Evil
Login    Name                   Status  Login time Host
evil     Evil                   active  Mon 08:02  test
No mail.
Plan:
Now a little format string: 0x8049da0 0x640 0x400a252d :-)
good@test:~$


Server side :

good@test:~$ cat /etc/fingerconf
<fingerconf>
<sitehost>master</sitehost>
</fingerconf>

evil@master:~$ cat ~/.plan
Now a little format string: %p %p %p :-)
evil@master:~$ telnet test 79
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
/W evil
Login Name: evil                        In real life: Evil
Login    Name                   Status  Login time Host
evil     Evil                   active  Mon 08:02  master
No mail.
Plan:
Now a little format string: 0xbfbff860 0x400 0x0 :-)
Connection closed by foreign host.
evil@master:~$


________________________________________________________________________


SOLUTION
========

        There is an official  solution  now.  A  new  version  has  been
released which  corrects this  security issue.  pfinger version 0.7.8 is
available at :

http://www.xelia.ch/unix/pfinger/


________________________________________________________________________


VENDOR STATUS
=============

        18-12-2001 : This bulletin was sent to Michael Baumer.
        19-12-2001 : pfinger  version  0.7.8  has  been  released  which
                     solves this issue.


________________________________________________________________________


LEGALS
======

        Intexxia provides this  information  as a public service and "as
is". Intexxia  will not be  held accountable for  any damage or distress
caused by the proper or improper usage of these materials.


        (c) intexxia 2001. This  document is property  of intexxia. Feel
free to use and distribute  this material as long as  credit is given to
intexxia and the author.


________________________________________________________________________


CONTACT
=======

CERT intexxia                                          certat_private
INTEXXIA                                         http://www.intexxia.com
171, av. Georges Clemenceau                 Standard : +33 1 55 69 49 10
92024 Nanterre Cedex - France                    Fax : +33 1 55 69 78 80

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPCIwdU2N8BNyNDXLEQI+MQCg9SuwuxrM3kaQVNT57trzLaPpTJQAn35u
AhSwVUKGRGPoRmxqMcN1Ue/3
=OctC
-----END PGP SIGNATURE-----

Next message: David Litchfield: "Buffer Overflow in Oracle 9iAS (#NISR20122001)"
Previous message: Tom Micklovitch: "MSIE DoS Using javascript"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 20 2001 - 15:20:45 PST