[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] another cfingerd remote exploit

To: linux-security
Subject: [linux-security] another cfingerd remote exploit
From: Martin Siegert <siegert@sfu.ca>
Date: Wed, 11 Jul 2001 18:31:43 -0700
User-Agent: Mutt/1.2.5i

Topic
=====
remote root exploit in cfingerd (another one)

Problem Description
===================
There exist at least three remote root exploits for this vulnerability
that have been published - needless to say, if you are affected you must
fix this immediately or - better - uninstall the cfingerd package.

cfingerd (a configurable finger daemon) suffers from two problems:

1. The code that reads configuration files (files in which $ commands are
   expanded) copies its input to a buffer without checking for a buffer
   overflow. When the ALLOW_LINE_PARSING feature is enabled that code
   is used for reading users files as well.

2. There also is a printf call in the same routine that does not protect
   against printf format attacks.

ALLOW_LINE_PARSING is enabled in the default /etc/cfingerd.conf configuration
file. The vulnerabilities can be exploited by local and remote users to
gain root access.

Affected Systems
================
Systems that use cfingerd with versions <= 1.4.3 (i.e., all versions),
e.g., Debian

Workaround (recommended!)
=========================
Uninstall the cfingerd package!
Do not run cfingerd or any finger daemon for that matter.
Comment out the corresponding line in /etc/inetd.conf and
"kill -HUP <pid of inetd>"

Solution
========
(in case you really need cfingerd)

Debian 2.2 (potato)
-------------------
update to cfingerd_1.4.1-1.2_i386.deb

Prev by Date: [linux-security] xloadimage/netscape vulnerability
Next by Date: [linux-security] check for rpms that should be upgraded
Prev by thread: [linux-security] check for rpms that should be upgraded
Next by thread: [linux-security] xloadimage/netscape vulnerability
Index(es):
- Date
- Thread