[UNIX] EFingerd Remote Buffer Overflow

From: support@securiteam.com
Date: 03/09/02


From: support@securiteam.com
To: list@securiteam.com
Date: Sat,  9 Mar 2002 15:16:04 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  EFingerd Remote Buffer Overflow
------------------------------------------------------------------------

SUMMARY

Efingerd is a "finger daemon, giving you complete control over what are
you going to display about your computer" as is written in the man page.
However this is not completely true, as any local user can (even
unintentionally) expose more info than was originally intended by an
administrator. And more problematic is the fact that the product contains
an exploitable buffer overflow.

DETAILS

Vulnerable systems:
Debian Linux distributes versions 1.3 (stable) and 1.6.1 (unstable).

Remote buffer overflow
In the stable version it is possible to remotely cause a buffer overflow
condition through an exploitation of a reverse-lookup part of the code:

static char *lookup_addr (struct in_addr in)
{
        static char addr[100];
        struct hostent *he;

        if (resolve_addr) {
                he = gethostbyaddr ((char *)&in, sizeof(struct
in_addr),AF_INET);
                if (he == NULL)
                        strcpy(addr, inet_ntoa(in));
                else
                        strcpy(addr, he->h_name);
        }
        else
                strcpy (addr, inet_ntoa (in));

        return addr;
}

Usually efingerd runs as 'nobody'.

Dangerous feature
But there is another security issue with efingerd (in both versions). When
some existing user is fingered, efingerd looks for a ".efingerd" file in
that user's home directory and if it does exist and it is executable it
tries to execute it - as 'nobody'. The .efingerd's output is sent back to
the fingerer.

So whatever a local user puts in his .efingerd file can be executed under
nobody UID/GID simply by fingering himself. So getting a user nobody and
group nobody shell is straightforward. This can be very interesting for a
potential evildoer going to hide his identity during some nasty actions,
for example local DoS attacks. As the log file is writable by the UID of
efingerd, it can be easily manipulated.

This feature can be turned off with the -u option.

ADDITIONAL INFORMATION

The information has been provided by <mailto:spybreak@host.sk> Spybreak.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: Shutdown Utilities Do Not Work
    ... If you turn logon auditing on the target (control panel/local policies/Audit ... policy), you should see the network logon in the security eventlog. ... Local User Rights ...
    (microsoft.public.windowsxp.security_admin)
  • FW: Fwd: RE: [SLE] Using Samba
    ... >> access to the folder on the Linux side. ... That security is enforced across to ... >> so windows cannot even look at what's in the directory unless it (nobody) ... >> Greg Wallace ...
    (SuSE)
  • RE: Fwd: RE: [SLE] Using Samba
    ... >> access to the folder on the Linux side. ... That security is enforced across to ... >> so windows cannot even look at what's in the directory unless it (nobody) ... >> Greg Wallace ...
    (SuSE)
  • Re: significance of "nobody" ownership permission?
    ... I suspect the reason for these "nobody and 777" characteristics is that this ... the 777 perms were created from there. ... I am not concerned about 5.2's external security (hopefully ... AFAIK the executable bits on sockets has no ...
    (comp.os.linux.security)
  • Re: OT: My New Bumper Sticker
    ... We don't think immigration is a security issue. ... Nobody forces them, nobody stops ... What about the economic argument that's been made--that illegals are ...
    (rec.arts.dance)