Home page logo

bugtraq logo Bugtraq mailing list archives

cfingerd 1.3.2
From: md5330 () mclink it (Salvatore Sanfilippo -antirez-)
Date: Fri, 2 Jul 1999 00:11:26 +0200


        there is a remote buffer over flow in cfingerd 1.3.2
        in search_fake():

int search_fake(char *username)
    char parsed[80];

    bzero(parsed, 80);
    sscanf(username, "%[^.].%*[^\r\n]\r\n", parsed);

called from process_username(), that is called from main:

int main(int argc, char *argv[])
    char username[100], syslog_str[200];

    if (!emulated) {
        if (!fgets(username, sizeof(username), stdin)) {

    /* Check the finger information coming in and return its type */
    un_type = process_username(username);

        see parsed[80] and username[100].
        Anyway search_illegal() is called before than search_fake()
        so only [A-z0-9] and many other char can be used in oreder to
        execute arbitrary code.

        Debian is not vulnerable because a patch fix this and other
        cfingerd weakness (i think it's an example of bad coding)
        but searching in bugtraq archive i haven't found anything.

        I take opportunity to inform that i'm developing a
        secure (i hope) finger daemon: mayfingerd. In order to
        make mayfingerd more portable i need some unprivileged
        account in hosts running *BSD, Solaris, AIX etc. Bugtraq
        readers can help me?

        I hope it will be released together with hping2 the
        next month.

        Sorry for my bad english forever :)

have a good summer,

Salvatore Sanfilippo antirez | md5330 () mclink it | antirez () alicom com
try hping: http://www.kyuzz.org/antirez           antirez () seclab com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]