COMMAND

	efingerd remote buffer overflow

SYSTEMS AFFECTED

	efingerd 1.3, 1.6.1

PROBLEM

	Spybreak [spybreak@host.sk] posted :
	

	1.) Remote buffer overflow
	

	In the stable version (debian 1.3) it is possible to  remotely  cause  a
	buffer overflow condition through an exploitation  of  a  reverse-lookup
	part of the code:
	

	static char *lookup_addr (struct in_addr in)

	{

	        static char addr[100];

	        struct hostent *he;

	

	        if (resolve_addr) {

	                he = gethostbyaddr ((char *)&in, sizeof(struct

	in_addr),AF_INET);

	                if (he == NULL)

	                        strcpy(addr, inet_ntoa(in));

	                else

	                        strcpy(addr, he->h_name);

	        }

	        else

	                strcpy (addr, inet_ntoa (in));

	

	        return addr;

	}

	

	Usually efingerd runs as \'nobody\'.
	

	

	2.) The feature
	

	But there is another security issue with efingerd.  When  some  existing
	user is fingered, efingerd  looks  for  a  \".efingerd\"  file  in  that
	user\'s home directory and if it does exist  and  it  is  executable  it
	tries to execute it - as \'nobody\'. The  .efingerd\'s  output  is  sent
	back to the fingerer.
	

	So _whatever_ a local user puts in his .efingerd file, can  be  executed
	under  nobody  UID/GID  simply  by  fingering  himself.  So  getting   a
	nobody/nobody shell is straighforward. This can be very interesting  for
	a potential evildoer going  to  hide  his  identity  during  some  nasty
	actions, for example local DoS attacks. As the logfile  is  writable  by
	the UID of efingerd, it can be easily manipulated.
	

	This feature can be turned off with the -u option.

SOLUTION

	Try ident2