zkfingerd 0.9.1 format string vulnerabilities (#NISR16122002A)

From: NGSSoftware Insight Security Research (nisr@nextgenss.com)
Date: 12/16/02

  • Next message: Stefan Esser: "RE: PFinger 0.7.8 format string vulnerability (#NISR16122002B)"
    From: "NGSSoftware Insight Security Research" <nisr@nextgenss.com>
    To: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>
    Date: Mon, 16 Dec 2002 19:53:29 -0000

    NGSSoftware Insight Security Research Advisory

    Name: zkfingerd Format String vulnerability
    Systems: zkfingerd version 0.9.1 and earlier
    Severity: High Risk
    Vendor URL: http://sourceforge.net/projects/zkfingerd
    Author: David Litchfield (david@ngssoftware.com)
    Advisory URL: http://www.ngssoftware.com/advisories/zkfingerd.txt
    Date: 16th December 2002
    Advisory number: #NISR16122002A

    zkfingerd is an open-source replacement for standard finger daemons running
    on Linux systems. zkfingerd suffers from several format string
    vulnerabilities that, when exploited, can allow the remote execution of
    arbitrary code.

    The first format string vulnerability can be found in the putlog() function
    of log.c. An unsafe call is made to the syslog() function.

    syslog(LOG_INFO, c);

    To make this safe a format string should be specified:

    syslog(LOG_INFO,"%s", c);

    By fingering a "user" and designing a special format string as the user, it
    is possible to overwrite arbitray locations in memory with values supplied
    by an attacker using the %n specifier. This can lead to arbitrary code

    Further format string vulnerabilities, that all have the same root cause,
    are due to the say() function:

    say(char *fmt, ...)
            va_list ap;

            va_start(ap, fmt);
            vprintf(fmt, ap);



    If, when say() is called, the first argument is not a format string but
    input a remote user can control then the vulnerability will manifest itself.
    One such place is in the file_list() function:

            char *y, *z;
            z = xmalloc(strlen(de->d_name) + 2);
            strcpy(z, de->d_name);
            strcat(z, "/");
            x = xmalloc(32 + strlen(de->d_name));
            y = my_ctime(st.st_mtime);
            sprintf(x, "\t%-12s\t%s\t-- DIR --", z, y);

    In this case if the name of a directory contains an attacker supplied format
    string then it can overwrite arbitrary locations in memory with attacker
    supplied values.

    Fix Information
    NGSSoftware alerted the author of zkfingerd with these problems on the 27th
    of November, 2002. The author responed quickly and made the relevant
    security fixes. Patched source code can be download from CVS @ Sourceforge.


    A check for this issue has been added to Typhon III, NGSSoftware's advanced
    vulnerability assessment tool, of which, more information is available at
    the NGSSite: http://www.ngssoftware.com/

    For more information about format string vulnerabilities please read


    About NGSSoftware
    NGSSoftware design, research and develop intelligent, advanced application
    security assessment scanners. Based in the United Kingdom, NGSSoftware have
    offices in the South of London and the East Coast of Scotland. NGSSoftware's
    sister company NGSConsulting, offers best of breed security consulting
    services, specialising in application, host and network security


    Telephone +44 208 401 0070
    Fax +44 208 401 0076

    Relevant Pages