Bugtraq mailing list archives
Re: buffer overflow in configurable fingerd?
From: khollis () NORTHWEST COM (Ken Hollis)
Date: Wed, 12 Feb 1997 12:39:23 -0800
While playing around with Ken Hollis's cfingerd 1.2.3 on Linux, I found out there is one or more chances of buffer overflow when reading it's config file, /etc/cfingerd.conf. Some strings are probably copied to variable without checking the length. In those situation, doing any finger from anywhere (remote/local) to the machine causes a SIGSEGV. Now, the potential problem is, cfingerd is recommended to be run as root from inetd.conf by the Author. So I think there might be a chance of getting a root exploit here on the machines running cfingerd 1.2.3 Also note that, it has another program userlist, which simply lists the users logged in, is installted as rws--S--- root.root by default, when those setu/gid bits are not needed at all!
You might want to note a couple of issues that this user failed to tell you (from lack of reading documentation): 1) userlist runs as root because it needs to get access to the said user's directory. The reason this happens is to read a file called ".nofinger" which tells whether or not the user wants to have their finger information displayed in a finger request. It states this in cfingerd.1, and cfingerd.conf.1. The phrase "RTFM" comes to mind. 2) cfingerd is now up to version 1.3.2. This version fixes all of the problems listed above. Variable length checking, root holes, and a few other problems were resolved in this latest version. ftp.bitgate.com:/pub/bitgate/cfingerd/cfingerd-1.3.2.tar.gz is the latest version. Since this is free software, and I am not getting paid for getting this fixed, I do not appreciate getting E-Mail saying this without the user reading the documentation ahead of time. This seems to be a problem with a lot of end users. READ THE DOCUMENTATION, PLEASE!!! This message would have been AVOIDED if the said user read the docs!! So. Get the latest cfingerd. Read the documentation (it only takes a little time, as painful as it may seem.) Write me with a LEGITIMATE bug report instead of saying "this is my finger output, here's your bug." I don't reply to messages without getting a legitimate bug report. And don't send messages of this caliber to bug report sites without first researching the problem. Thank you for your time. -- Ken Hollis --- ---------------------------------------------------------------------- | Ken T. Hollis || Autobahn Sys Admin || Freeware/GPL Hacker | | khollis () northwest com || Webmaster/Hacker || Linux Net Junkie | ---------------------------------------------------------------------- ^_^ -_- ;o @_@ +_+ @_@ ^_^! ;_; *^.^* q(^_^)p $_$ v_v o_O O_o p_q
Current thread:
- setlocale() bug in all released versions of FreeBSD (SA-97:01), (continued)
- setlocale() bug in all released versions of FreeBSD (SA-97:01) Aleph One (Feb 06)
- Wierd behavior of MS's NT4 DNS Jason T. Luttgens (Feb 07)
- New OFFICIAL patch for BSD/OS 2.1 (*SECURITY*) (fwd) Josh Gilliam (Feb 07)
- Bliss: The Facts Jared Mauch (Feb 08)
- view-source myst (Feb 08)
- IRIX: Bug in startmidi David Hedley (Feb 09)
- Re: IRIX: Bug in startmidi Nafees Bin Zafar (Feb 09)
- Security Advisory: A simple TCP spoofing attack Oliver Friedrichs (Feb 09)
- Re: Security Advisory: A simple TCP spoofing attack Wietse Venema (Feb 12)
- buffer overflow in configurable fingerd? M Shariful Anam (Feb 12)
- Re: buffer overflow in configurable fingerd? Ken Hollis (Feb 12)
- Security Bulletins Digest Aleph One (Feb 13)
- Linux NLSPATH buffer overflow solar () IDEAL RU (Feb 13)
- Re: Linux NLSPATH buffer overflow Alan Cox (Feb 14)
- CIAC Bulletin H-27: HP-UX vgdisplay Buffer Overrun Vulnerability Aleph One (Feb 15)
- screen 3.05.02 Khelbin Sunvold (Feb 15)
- Re: screen 3.05.02 test (Feb 16)
- Bug in apache httpd 1.1.3 Mihai Ibanescu (Feb 16)
- Re: Bug in apache httpd 1.1.3 Dean Gaudet (Feb 16)
- Announce new phf prober release Ray W. Hiltbrand (Feb 17)
- Re: Announce new phf prober release J. Bouvrie (Feb 17)