Date: Thu, 20 Dec 2001 19:39:52 +0100
From: =?iso-8859-1?Q?Beno=EEt_Roussel?= <benoit.roussel@intexxia.com>
To: bugtraq <bugtraq@securityfocus.com>
Subject: [CERT-intexxia] pfinger Format String Vulnerability
Cc: CERT-intexxia <cert@intexxia.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
SECURITY ADVISORY INTEXXIA(c)
18 12 2001 ID #1050-181201
________________________________________________________________________
TITLE : pfinger Format String Vulnerability
CREDITS : Guillaume Pelat / INTEXXIA
________________________________________________________________________
SYSTEM AFFECTED
===============
pfinger <= 0.7.7
________________________________________________________________________
DESCRIPTION
===========
pfinger is a finger daemon written in C. It is vulnerable to a
format string vulnerability.
________________________________________________________________________
DETAILS
=======
Both client and server are vulnerable to a format string
injection using for example a '.plan' file.
Client side : the client uses directly the data received from
the server as the first argument of the printf(3) function. A user could
create a specially crafted '.plan' file that would be printed by the
pfinger client. As a result, it could be possible to make execute
arbitrary code by the client.
Server side : if the server is configured to connect to a master
server (with the <sitehost> directive), data received from the master
server are directly used as first argument in the printf(3) function. If
a malicious user modifies the master to make it send crafted data, it is
possible to make execute code to the vulnerable 'slave' server.
If a user has an account on the master server, he can create a crafted
'.plan' file containing the format string. A simple request to the
'client' server would also exploit the server side vulnerability.
The pfinger daemon is launched with 'nobody' permissions by
default. Complete exploitation of this vulnerability will permit an
attacker to execute code with the 'nobody' permissions. But this flaw
could be used to compromize the local system by exploiting other local
vulnerabilities.
________________________________________________________________________
PROOF OF CONCEPT
================
Here are two proofs of concept for the both sides.
Client side :
evil@test:~$ cat ~/.plan
Now a little format string: %p %p %p :-)
evil@test:~$
good@test:~$ finger -l evil
Login Name: evil In real life: Evil
Login Name Status Login time Host
evil Evil active Mon 08:02 test
No mail.
Plan:
Now a little format string: 0x8049da0 0x640 0x400a252d :-)
good@test:~$
Server side :
good@test:~$ cat /etc/fingerconf
<fingerconf>
<sitehost>master</sitehost>
</fingerconf>
evil@master:~$ cat ~/.plan
Now a little format string: %p %p %p :-)
evil@master:~$ telnet test 79
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
/W evil
Login Name: evil In real life: Evil
Login Name Status Login time Host
evil Evil active Mon 08:02 master
No mail.
Plan:
Now a little format string: 0xbfbff860 0x400 0x0 :-)
Connection closed by foreign host.
evil@master:~$
________________________________________________________________________
SOLUTION
========
There is an official solution now. A new version has been
released which corrects this security issue. pfinger version 0.7.8 is
available at :
http://www.xelia.ch/unix/pfinger/
________________________________________________________________________
VENDOR STATUS
=============
18-12-2001 : This bulletin was sent to Michael Baumer.
19-12-2001 : pfinger version 0.7.8 has been released which
solves this issue.
________________________________________________________________________
LEGALS
======
Intexxia provides this information as a public service and "as
is". Intexxia will not be held accountable for any damage or distress
caused by the proper or improper usage of these materials.
(c) intexxia 2001. This document is property of intexxia. Feel
free to use and distribute this material as long as credit is given to
intexxia and the author.
________________________________________________________________________
CONTACT
=======
CERT intexxia cert@intexxia.com
INTEXXIA http://www.intexxia.com
171, av. Georges Clemenceau Standard : +33 1 55 69 49 10
92024 Nanterre Cedex - France Fax : +33 1 55 69 78 80
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>;
iQA/AwUBPCIwdU2N8BNyNDXLEQI+MQCg9SuwuxrM3kaQVNT57trzLaPpTJQAn35u
AhSwVUKGRGPoRmxqMcN1Ue/3
=OctC
-----END PGP SIGNATURE-----
