[UNIX] PFinger Format String Vulnerability

From: support@securiteam.com
Date: 12/27/01 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 27 Dec 2001 00:19:24 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  PFinger Format String Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://www.xelia.ch/unix/pfinger/> PFinger is a finger daemon written in
C. Both client and server are vulnerable to a format string injection
attack using a '.plan' file, for example.

DETAILS

Vulnerable systems:
PFinger prior and including version 0.7.7

Immune systems:
PFinger version 0.7.8

Client side:
The client uses directly the data received from the server as the first
argument of the printf(3) function. A user could create a specially
crafted '.plan' file that would be printed by the pfinger client. As a
result, it could be possible to make execute arbitrary code by the client.

Server side:
If the server is configured to connect to a master server (with the
<sitehost> directive), data received from the master server are directly
used as first argument in the printf(3) function. If a malicious user
modifies the master to make it send crafted data, it is possible to make
execute code to the vulnerable 'slave' server.

If a user has an account on the master server, he can create a crafted
'.plan' file containing the format string. A simple request to the
'client' server would also exploit the server side vulnerability.

The PFinger daemon is launched with 'nobody' permissions by default.
Complete exploitation of this vulnerability will permit an attacker to
execute code with the 'nobody' permissions. But this flaw could be used to
compromise the local system by exploiting other local vulnerabilities.

Proof of concept:
Here are two proofs of concept for the both sides.

Client side:
evil@test:~$ cat ~/.plan
Now a little format string: %p %p %p :-)
evil@test:~$

good@test:~$ finger -l evil
Login Name: evil In real life: Evil
Login Name Status Login time Host
evil Evil active Mon 08:02 test
No mail.
Plan:
Now a little format string: 0x8049da0 0x640 0x400a252d :-)
good@test:~$

Server side:
good@test:~$ cat /etc/fingerconf
<fingerconf>
<sitehost>master</sitehost>
</fingerconf>

evil@master:~$ cat ~/.plan
Now a little format string: %p %p %p :-)
evil@master:~$ telnet test 79
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
/W evil
Login Name: evil In real life: Evil
Login Name Status Login time Host
evil Evil active Mon 08:02 master
No mail.
Plan:
Now a little format string: 0xbfbff860 0x400 0x0 :-)
Connection closed by foreign host.
evil@master:~$

Solution:
A new version has been released which corrects this security issue.
PFinger version 0.7.8 is available at:
 <http://www.xelia.ch/unix/pfinger/> http://www.xelia.ch/unix/pfinger/

ADDITIONAL INFORMATION

The information has been provided by <mailto:benoit.roussel@intexxia.com>
Benoit Roussel.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • SecurityFocus Microsoft Newsletter #171
    ... Better Management for Network Security ... GoodTech Telnet Server Remote Denial Of Service Vulnerabilit... ... ASPApp PortalAPP Remote User Database Access Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #174
    ... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise Web Server Multiple Vulnerabilitie... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter # 150
    ... - automatically set positive security policies for real-time protection, ... MICROSOFT VULNERABILITY SUMMARY ... Meteor FTP Server USER Memory Corruption Vulnerability ... MDaemon SMTP Server Null Password Authentication Vulnerabili... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #69
    ... LANguard Security Event Log Monitor: ... MICROSOFT VULNERABILITY SUMMARY ... BrowseFTP Client Buffer Overflow Vulnerability ... Michael Lamont Savant Web Server Long Request DoS Vulnerability ...
    (Focus-Microsoft)
  • [NEWS] ePolicy Orchestrator Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... and use a Thawte Digital Certificate on your MSIIS web server. ... To attack a machine running ePO, an attacker would typically need to be ... MSDE SA account compromise - This vulnerability applies to ePO 2.X and 3.0 ...
    (Securiteam)