CFINGERD remote vulnerability

From: Megyer Laszlo (abulla@FREEMAIL.HU)
Date: Wed Apr 11 2001 - 20:02:34 CEST

  • Next message: Daniel Kiper: "ntpd - new Debian 2.2 (potato) version is also vulnerable"

    Hi

    Following the recent habits, I break the advisory into 4 parts:

    OVERVIEW:
    ---------
      There is a critical bug in cfingerd daemon <= 1.4.3, (a classic format
    bug)
    that makes possible to acquire full control over the remote machine if it
    runs
    the cfingerd program, the configurable and secure finger daemon.
      In 3 words: REMOTE ROOT VULNERABILITY

    DESCRIPTION:
    ------------
      The bug occurs in main.c, line 245, 258 and 268:
    <------ syslog(LOG_NOTICE, (char *) syslog_str);
      We can control the syslog_str with our ident user, that goes directly to
    the secont parameter of syslog(). Using %n and some tricks, we can overwrite
    anything in the daemon's memory, including the saved eip register.
      The more or less proper usage of syslog this time is here:
    ------> syslog(LOG_NOTICE, "%s", (char *) syslog_str);
      There are many papers about format bugs, so I don't write detailed infos
    about it.

    EXPLOITATION:
    -------------
      Exploiting it is a bit tricky because we use another bug in the code. The
    ident reply is something like this:
    3478, 79 : UNIX : USERID : username
      If the username is more than 64 bytes, cfingerd logs some strange string:
    [64b username]3478, 79 : UNIX : USERID : [64b username][rest of the
    username]

    The following code is responsible of this strange behaviour:

    for (xp=uname; *cp != '\0' &&
    *cp!='\r'&&*cp!='\n'&&strlen(uname)<sizeof(uname); cp++)
        *(xp++) = *cp;

      You can see that no space is left for the string terminating '\0'
    character,
    so the next local variable which is the line that was read from identd will
    also be returned as the end of the username. Ex.:

    The fake identd sends:
    [120 B's] : : :[64 A's]
    the username that is returned by get_rfc1413_data() will be:
    [64 A's][120 B's] : : :...

      Then an snprintf cuts the string that will go to syslog() allowing only
    200
    bytes to pass. If the username is one byte, we will have 183 bytes we can
    control there. ("a fingered from username@host") where host doesn't have
    place,
    so it won't get into syslog(). (another sechole).

      Now we have a method to send 183 bytes to syslog(). We have to find out
    some
    basic variables to be able to exploit this, which we can bruteforce easily
    one-by-one.
      (details in "fingex" exploit..)

    FIX:

    ----
      The attached patch will fix the four bugs: 3 syslog() bugs and the bug
    that
    allows anybody to send long usernames to syslog() so the hostname wouldn't
    get
    there.
    

    To make a bugfixed source tree save the diff as cfingerd-1.4.3.diff and do:

    wget http://www.infodrom.ffis.de/projects/cfingerd/download/cfingerd-1.4.3.tar.gz tar xfz cfingerd-1.4.3.tar.gz cat cfingerd-1.4.3.diff | patch -p0

    and the source tree is free of this bug.

    please update your cfingerd'z as soon as possible.

    Bye Megyer Laszlo (Lez) abulla@freemail.hu





    This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 21:12:09 CEST