From benoit.roussel@intexxia.com Fri Dec 21 15:17:27 2001 From: "[iso-8859-1] Benoît Roussel" To: bugtraq Cc: CERT-intexxia Date: Thu, 20 Dec 2001 19:39:52 +0100 Subject: [CERT-intexxia] pfinger Format String Vulnerability [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ SECURITY ADVISORY INTEXXIA(c) 18 12 2001 ID #1050-181201 ________________________________________________________________________ TITLE : pfinger Format String Vulnerability CREDITS : Guillaume Pelat / INTEXXIA ________________________________________________________________________ SYSTEM AFFECTED =============== pfinger <= 0.7.7 ________________________________________________________________________ DESCRIPTION =========== pfinger is a finger daemon written in C. It is vulnerable to a format string vulnerability. ________________________________________________________________________ DETAILS ======= Both client and server are vulnerable to a format string injection using for example a '.plan' file. Client side : the client uses directly the data received from the server as the first argument of the printf(3) function. A user could create a specially crafted '.plan' file that would be printed by the pfinger client. As a result, it could be possible to make execute arbitrary code by the client. Server side : if the server is configured to connect to a master server (with the directive), data received from the master server are directly used as first argument in the printf(3) function. If a malicious user modifies the master to make it send crafted data, it is possible to make execute code to the vulnerable 'slave' server. If a user has an account on the master server, he can create a crafted '.plan' file containing the format string. A simple request to the 'client' server would also exploit the server side vulnerability. The pfinger daemon is launched with 'nobody' permissions by default. Complete exploitation of this vulnerability will permit an attacker to execute code with the 'nobody' permissions. But this flaw could be used to compromize the local system by exploiting other local vulnerabilities. ________________________________________________________________________ PROOF OF CONCEPT ================ Here are two proofs of concept for the both sides. Client side : evil@test:~$ cat ~/.plan Now a little format string: %p %p %p :-) evil@test:~$ good@test:~$ finger -l evil Login Name: evil In real life: Evil Login Name Status Login time Host evil Evil active Mon 08:02 test No mail. Plan: Now a little format string: 0x8049da0 0x640 0x400a252d :-) good@test:~$ Server side : good@test:~$ cat /etc/fingerconf master evil@master:~$ cat ~/.plan Now a little format string: %p %p %p :-) evil@master:~$ telnet test 79 Trying x.x.x.x... Connected to test.lab.intexxia.com. Escape character is '^]'. /W evil Login Name: evil In real life: Evil Login Name Status Login time Host evil Evil active Mon 08:02 master No mail. Plan: Now a little format string: 0xbfbff860 0x400 0x0 :-) Connection closed by foreign host. evil@master:~$ ________________________________________________________________________ SOLUTION ======== There is an official solution now. A new version has been released which corrects this security issue. pfinger version 0.7.8 is available at : http://www.xelia.ch/unix/pfinger/ ________________________________________________________________________ VENDOR STATUS ============= 18-12-2001 : This bulletin was sent to Michael Baumer. 19-12-2001 : pfinger version 0.7.8 has been released which solves this issue. ________________________________________________________________________ LEGALS ====== Intexxia provides this information as a public service and "as is". Intexxia will not be held accountable for any damage or distress caused by the proper or improper usage of these materials. (c) intexxia 2001. This document is property of intexxia. Feel free to use and distribute this material as long as credit is given to intexxia and the author. ________________________________________________________________________ CONTACT ======= CERT intexxia cert@intexxia.com INTEXXIA http://www.intexxia.com 171, av. Georges Clemenceau Standard : +33 1 55 69 49 10 92024 Nanterre Cedex - France Fax : +33 1 55 69 78 80 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBPCIwdU2N8BNyNDXLEQI+MQCg9SuwuxrM3kaQVNT57trzLaPpTJQAn35u AhSwVUKGRGPoRmxqMcN1Ue/3 =OctC -----END PGP SIGNATURE-----