Bugtraq mailing list archives

buffer overflow in configurable fingerd?

From: shuman () ANNEXGRP ORG (M Shariful Anam)
Date: Thu, 13 Feb 1997 00:39:44 +0600


Hi,

While playing around with Ken Hollis's cfingerd 1.2.3 on Linux, I found
out there is one or more chances of buffer overflow when reading it's
config file, /etc/cfingerd.conf.

Some strings are probably copied to variable without checking the length.
In those situation, doing any finger from anywhere (remote/local) to the
machine causes a SIGSEGV. Now, the potential problem is, cfingerd is
recommended to be run as root from inetd.conf by the Author. So I think
there might be a chance of getting a root exploit here on the machines
running cfingerd 1.2.3

Also note that, it has another program userlist, which simply lists the
users logged in, is installted as rws--S--- root.root by default, when
those setu/gid bits are not needed at all!

---
 M Shariful Anam                              <shuman () kaifnet com>

                Kaifnet Services -- Bangladesh

Current thread:

[linux-security] Re: Linux virus, (continued)
- [linux-security] Re: Linux virus Aleph One (Feb 06)
- setlocale() bug in all released versions of FreeBSD (SA-97:01) Aleph One (Feb 06)
- Wierd behavior of MS's NT4 DNS Jason T. Luttgens (Feb 07)
- New OFFICIAL patch for BSD/OS 2.1 (*SECURITY*) (fwd) Josh Gilliam (Feb 07)
- Bliss: The Facts Jared Mauch (Feb 08)
- view-source myst (Feb 08)
- IRIX: Bug in startmidi David Hedley (Feb 09)
  - Re: IRIX: Bug in startmidi Nafees Bin Zafar (Feb 09)
  - Security Advisory: A simple TCP spoofing attack Oliver Friedrichs (Feb 09)
    - Re: Security Advisory: A simple TCP spoofing attack Wietse Venema (Feb 12)
    - buffer overflow in configurable fingerd? M Shariful Anam (Feb 12)
    - Re: buffer overflow in configurable fingerd? Ken Hollis (Feb 12)
    - Security Bulletins Digest Aleph One (Feb 13)
    - Linux NLSPATH buffer overflow solar () IDEAL RU (Feb 13)
    - Re: Linux NLSPATH buffer overflow Alan Cox (Feb 14)
    - CIAC Bulletin H-27: HP-UX vgdisplay Buffer Overrun Vulnerability Aleph One (Feb 15)
    - screen 3.05.02 Khelbin Sunvold (Feb 15)
    - Re: screen 3.05.02 test (Feb 16)
    - Bug in apache httpd 1.1.3 Mihai Ibanescu (Feb 16)
    - Re: Bug in apache httpd 1.1.3 Dean Gaudet (Feb 16)
    - Announce new phf prober release Ray W. Hiltbrand (Feb 17)

(Thread continues...)