[LWN Logo]

Date:	Fri, 2 Jul 1999 00:11:26 +0200
From:	Salvatore Sanfilippo -antirez- <md5330@MCLINK.IT>
Subject:      cfingerd 1.3.2
To:	BUGTRAQ@NETSPACE.ORG

Hi,

	there is a remote buffer over flow in cfingerd 1.3.2
	in search_fake():

int search_fake(char *username)
{
    char parsed[80];

    bzero(parsed, 80);
    sscanf(username, "%[^.].%*[^\r\n]\r\n", parsed);
...


called from process_username(), that is called from main:

int main(int argc, char *argv[])
{
    char username[100], syslog_str[200];
...

    if (!emulated) {
        if (!fgets(username, sizeof(username), stdin)) {

...
    /* Check the finger information coming in and return its type */
    un_type = process_username(username);


	see parsed[80] and username[100].
	Anyway search_illegal() is called before than search_fake()
	so only [A-z0-9] and many other char can be used in oreder to
	execute arbitrary code.

	Debian is not vulnerable because a patch fix this and other
	cfingerd weakness (i think it's an example of bad coding)
	but searching in bugtraq archive i haven't found anything.

	I take opportunity to inform that i'm developing a
	secure (i hope) finger daemon: mayfingerd. In order to
	make mayfingerd more portable i need some unprivileged
	account in hosts running *BSD, Solaris, AIX etc. Bugtraq
	readers can help me?

	I hope it will be released together with hping2 the
	next month.

	Sorry for my bad english forever :)

have a good summer,
antirez

--
Salvatore Sanfilippo antirez | md5330@mclink.it | antirez@alicom.com
try hping: http://www.kyuzz.org/antirez           antirez@seclab.com