CFINGERD remote vulnerability

From: Megyer Laszlo (abulla@FREEMAIL.HU)
Date: Wed Apr 11 2001 - 20:02:34 CEST

Next message: Daniel Kiper: "ntpd - new Debian 2.2 (potato) version is also vulnerable"

Previous message: Paul Starzetz: "Insecure directory handling in KFM file manager"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Following the recent habits, I break the advisory into 4 parts:

OVERVIEW:
---------
There is a critical bug in cfingerd daemon <= 1.4.3, (a classic format
bug)
that makes possible to acquire full control over the remote machine if it
runs
the cfingerd program, the configurable and secure finger daemon.
In 3 words: REMOTE ROOT VULNERABILITY

DESCRIPTION:
------------
  The bug occurs in main.c, line 245, 258 and 268:
<------ syslog(LOG_NOTICE, (char *) syslog_str);
  We can control the syslog_str with our ident user, that goes directly to
the secont parameter of syslog(). Using %n and some tricks, we can overwrite
anything in the daemon's memory, including the saved eip register.
  The more or less proper usage of syslog this time is here:
------> syslog(LOG_NOTICE, "%s", (char *) syslog_str);
  There are many papers about format bugs, so I don't write detailed infos
about it.

EXPLOITATION:
-------------
Exploiting it is a bit tricky because we use another bug in the code. The
ident reply is something like this:
3478, 79 : UNIX : USERID : username
If the username is more than 64 bytes, cfingerd logs some strange string:
[64b username]3478, 79 : UNIX : USERID : [64b username][rest of the
username]

The following code is responsible of this strange behaviour:

for (xp=uname; *cp != '\0' &&
*cp!='\r'&&*cp!='\n'&&strlen(uname)<sizeof(uname); cp++)
*(xp++) = *cp;

You can see that no space is left for the string terminating '\0'
character,
so the next local variable which is the line that was read from identd will
also be returned as the end of the username. Ex.:

The fake identd sends:
[120 B's] : : :[64 A's]
the username that is returned by get_rfc1413_data() will be:
[64 A's][120 B's] : : :...

Then an snprintf cuts the string that will go to syslog() allowing only
200
bytes to pass. If the username is one byte, we will have 183 bytes we can
control there. ("a fingered from username@host") where host doesn't have
place,
so it won't get into syslog(). (another sechole).

Now we have a method to send 183 bytes to syslog(). We have to find out
some
basic variables to be able to exploit this, which we can bruteforce easily
one-by-one.
(details in "fingex" exploit..)

FIX:

---- The attached patch will fix the four bugs: 3 syslog() bugs and the bug that allows anybody to send long usernames to syslog() so the hostname wouldn't get there.

To make a bugfixed source tree save the diff as cfingerd-1.4.3.diff and do:

wget http://www.infodrom.ffis.de/projects/cfingerd/download/cfingerd-1.4.3.tar.gz tar xfz cfingerd-1.4.3.tar.gz cat cfingerd-1.4.3.diff | patch -p0

and the source tree is free of this bug.

please update your cfingerd'z as soon as possible.

Bye Megyer Laszlo (Lez) abulla@freemail.hu

text/plain attachment: The exploit

text/plain attachment: cfingerd-1.4.3.diff

Next message: Daniel Kiper: "ntpd - new Debian 2.2 (potato) version is also vulnerable"
Previous message: Paul Starzetz: "Insecure directory handling in KFM file manager"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 21:12:09 CEST