Home page logo

bugtraq logo Bugtraq mailing list archives

Re: buffer overflow in configurable fingerd?
From: khollis () NORTHWEST COM (Ken Hollis)
Date: Wed, 12 Feb 1997 12:39:23 -0800

While playing around with Ken Hollis's cfingerd 1.2.3 on Linux, I found
out there is one or more chances of buffer overflow when reading it's
config file, /etc/cfingerd.conf.

Some strings are probably copied to variable without checking the length.
In those situation, doing any finger from anywhere (remote/local) to the
machine causes a SIGSEGV. Now, the potential problem is, cfingerd is
recommended to be run as root from inetd.conf by the Author. So I think
there might be a chance of getting a root exploit here on the machines
running cfingerd 1.2.3

Also note that, it has another program userlist, which simply lists the
users logged in, is installted as rws--S--- root.root by default, when
those setu/gid bits are not needed at all!

You might want to note a couple of issues that this user failed to tell
you (from lack of reading documentation):

1) userlist runs as root because it needs to get access to the said
   user's directory.  The reason this happens is to read a file called
   ".nofinger" which tells whether or not the user wants to have their
   finger information displayed in a finger request.  It states this in
   cfingerd.1, and cfingerd.conf.1.  The phrase "RTFM" comes to mind.

2) cfingerd is now up to version 1.3.2.  This version fixes all of the
   problems listed above.  Variable length checking, root holes, and a few
   other problems were resolved in this latest version.

ftp.bitgate.com:/pub/bitgate/cfingerd/cfingerd-1.3.2.tar.gz is the latest

Since this is free software, and I am not getting paid for getting this
fixed, I do not appreciate getting E-Mail saying this without the user
reading the documentation ahead of time.  This seems to be a problem with
a lot of end users.  READ THE DOCUMENTATION, PLEASE!!!  This message would
have been AVOIDED if the said user read the docs!!

So.  Get the latest cfingerd.  Read the documentation (it only takes a
little time, as painful as it may seem.)  Write me with a LEGITIMATE bug
report instead of saying "this is my finger output, here's your bug."  I
don't reply to messages without getting a legitimate bug report.

And don't send messages of this caliber to bug report sites without first
researching the problem.  Thank you for your time.

-- Ken Hollis
   |  Ken T. Hollis         || Autobahn Sys Admin || Freeware/GPL Hacker  |
   |  khollis () northwest com ||  Webmaster/Hacker  ||    Linux Net Junkie  |
      ^_^ -_- ;o @_@ +_+ @_@ ^_^! ;_; *^.^* q(^_^)p $_$ v_v o_O O_o p_q

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]