|
cfingerd Buffer Oveflow Vulnerability
There is a remotely exploitable buffer overflow in cfingerd 1.3.2, which ships with Debian GNU/Linux. The offending code is as follows: int search_fake(char *username) { char parsed[80]; bzero(parsed, 80); sscanf(username, "%[^.].%*[^\r\n]\r\n", parsed); ... called from process_username(), that is called from main: int main(int argc, char *argv[]) { char username[100], syslog_str[200]; ... if (!emulated) { if (!fgets(username, sizeof(username), stdin)) { ... /* Check the finger information coming in and return its type */ un_type = process_username(username); search_illegal() is called before search_fake(), so only legal characters [A-z0-9] can be used to exploit this vulnerability. The consequence is a remote root compromise. |
|
|
Privacy Statement |
