Home page logo
/

bugtraq logo Bugtraq mailing list archives

efingerd remote buffer overflow and a dangerous feature
From: "Spybreak" <spybreak () host sk>
Date: Wed, 6 Mar 2002 10:17:31 +0100

Release : 6/3/2002
Author  : Spybreak (spybreak () host sk)
Software: efingerd
Versions: 1.3, 1.6.1
Problems: Remote buffer overflow and a dangerous feature



Efingerd is a "finger daemon, giving you complete control over what are   
you going to display about your computer" as is written in the man page. 
However this is not completely true, as any local user can (even
unintentionally)
expose more info than was originally intended by an admin.

Debian Linux distributes versions 1.3 (stable) and 1.6.1 (unstable).

1.) Remote buffer overflow

In the stable version it is possible to remotely cause a buffer overflow
condition
through an exploitation of a reverse-lookup part of the code:


static char *lookup_addr (struct in_addr in)
{
        static char addr[100];
        struct hostent *he;

        if (resolve_addr) {
                he = gethostbyaddr ((char *)&in, sizeof(struct
in_addr),AF_INET);
                if (he == NULL)
                        strcpy(addr, inet_ntoa(in));
                else
                        strcpy(addr, he->h_name);
        }
        else
                strcpy (addr, inet_ntoa (in));

        return addr;
}


Usually efingerd runs as 'nobody'.


2.) The feature

But there is another security issue with efingerd (in both versions).
When some existing user is fingered, efingerd looks for a ".efingerd" file
in that user's home directory and if it does exist and it is executable it
tries to execute it - as 'nobody'. The .efingerd's output is sent back to
the fingerer.

So _whatever_ a local user puts in his .efingerd file, can be executed under
nobody UID/GID simply by fingering himself. So getting a nobody/nobody shell
is straighforward.
This can be very interesting for a potential evildoer going to hide his
identity during some nasty actions, for example local DoS attacks.
As the logfile is writable by the UID of efingerd, it can be easily
manipulated.

This feature can be turned off with the -u option.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault