linux, säkerhet

7705986 2001-12-20 19:39 +0100  /174 rader/ Benoît Roussel <benoit.roussel@intexxia.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-12-21  00:22  av Brevbäraren
Extern mottagare: bugtraq <bugtraq@securityfocus.com>
Extern kopiemottagare: CERT-intexxia <cert@intexxia.com>
Mottagare: Bugtraq (import) <20237>
Ärende: [CERT-intexxia] pfinger Format String Vulnerability
------------------------------------------------------------
From: Benoît Roussel <benoit.roussel@intexxia.com>
To: "bugtraq" <bugtraq@securityfocus.com>
Cc: "CERT-intexxia" <cert@intexxia.com>
Message-ID: <02fe01c18985$b8af0ca0$403e010a@lab.intexxia.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________
SECURITY ADVISORY                                            INTEXXIA(c)
18 12 2001                                               ID #1050-181201
________________________________________________________________________
TITLE   : pfinger Format String Vulnerability
CREDITS : Guillaume Pelat / INTEXXIA
________________________________________________________________________


SYSTEM AFFECTED
===============

        pfinger <= 0.7.7


________________________________________________________________________


DESCRIPTION
===========

        pfinger is a  finger daemon written  in C. It is vulnerable
to a format string vulnerability.


________________________________________________________________________


DETAILS
=======

        Both  client  and  server  are  vulnerable  to  a  format
string injection using for example a '.plan' file.

        Client side : the  client uses  directly  the data received
from the server as the first argument of the printf(3) function. A
user could create a  specially crafted  '.plan' file  that would  be
printed by the pfinger client. As a  result, it  could  be  possible
to  make  execute arbitrary code by the client.

        Server side : if the server is configured to connect to a
master server (with  the <sitehost>  directive), data  received from
the master server are directly used as first argument in the
printf(3) function. If a malicious user modifies the master to make
it send crafted data, it is possible to make execute code to the
vulnerable 'slave' server.

If a user  has an account  on the master server, he can create a
crafted '.plan'  file  containing the  format string.  A simple
request to  the 'client' server would also exploit the server side
vulnerability.

        The pfinger daemon is  launched  with  'nobody'  permissions
by default. Complete  exploitation of this  vulnerability  will
permit  an attacker to execute code  with the  'nobody' permissions.
But this flaw could be used to compromize  the local system by
exploiting other local vulnerabilities.


________________________________________________________________________


PROOF OF CONCEPT
================

        Here are two proofs of concept for the both sides.

Client side :

evil@test:~$ cat ~/.plan 
Now a little format string: %p %p %p :-)
evil@test:~$ 

good@test:~$ finger -l evil
Login Name: evil                In real life: Evil
Login    Name                   Status  Login time Host
evil     Evil                   active  Mon 08:02  test
No mail.
Plan:
Now a little format string: 0x8049da0 0x640 0x400a252d :-)
good@test:~$


Server side :

good@test:~$ cat /etc/fingerconf
<fingerconf>
<sitehost>master</sitehost>
</fingerconf>

evil@master:~$ cat ~/.plan
Now a little format string: %p %p %p :-)
evil@master:~$ telnet test 79
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
/W evil
Login Name: evil                        In real life: Evil
Login    Name                   Status  Login time Host
evil     Evil                   active  Mon 08:02  master
No mail.
Plan:
Now a little format string: 0xbfbff860 0x400 0x0 :-)
Connection closed by foreign host.
evil@master:~$


________________________________________________________________________


SOLUTION
========

        There is an official  solution  now.  A  new  version  has
been released which  corrects this  security issue.  pfinger version
0.7.8 is available at :

http://www.xelia.ch/unix/pfinger/


________________________________________________________________________


VENDOR STATUS
=============

        18-12-2001 : This bulletin was sent to Michael Baumer.
        19-12-2001 : pfinger  version  0.7.8  has  been  released  which
                     solves this issue.


________________________________________________________________________


LEGALS
======

        Intexxia provides this  information  as a public service and
"as is". Intexxia  will not be  held accountable for  any damage or
distress caused by the proper or improper usage of these materials.


        (c) intexxia 2001. This  document is property  of
intexxia. Feel free to use and distribute  this material as long as
credit is given to intexxia and the author.


________________________________________________________________________


CONTACT
=======

CERT intexxia                                          cert@intexxia.com
INTEXXIA                                         http://www.intexxia.com
171, av. Georges Clemenceau                 Standard : +33 1 55 69 49 10
92024 Nanterre Cedex - France                    Fax : +33 1 55 69 78 80

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPCIwdU2N8BNyNDXLEQI+MQCg9SuwuxrM3kaQVNT57trzLaPpTJQAn35u
AhSwVUKGRGPoRmxqMcN1Ue/3
=OctC
-----END PGP SIGNATURE-----
(7705986) /Benoît Roussel <benoit.roussel@intexxia.com>/(Ombruten)