From BUGTRAQ announce (by Megyer Laszlo <abulla@FREEMAIL.HU>):

Following the recent habits, I break the advisory into 4 parts:

OVERVIEW:
---------
  There is a critical bug in cfingerd daemon <= 1.4.3, (a classic format
bug)
that makes possible to acquire full control over the remote machine if it
runs
the cfingerd program, the configurable and secure finger daemon.
  In 3 words: REMOTE ROOT VULNERABILITY

DESCRIPTION:
------------
The bug occurs in main.c, line 245, 258 and 268:
<------         syslog(LOG_NOTICE, (char *) syslog_str);
We can control the syslog_str with our ident user, that goes directly to
the secont parameter of syslog(). Using %n and some tricks, we can overwrite
anything in the daemon's memory, including the saved eip register.
  The more or less proper usage of syslog this time is here:
  ------>            syslog(LOG_NOTICE, "%s", (char *) syslog_str);
There are many papers about format bugs, so I don't write detailed infos
about it.

Changed files:
    cfingerd-security_format_bug.patch -> 1.1

diff --git a/cfingerd-security_format_bug.patch b/cfingerd-security_format_bug.patch
new file mode 100644 (file)
index 0000000..b88264e
--- /dev/null
+++ b/cfingerd-security_format_bug.patch
@@ -0,0 +1,40 @@
+--- cfingerd-1.4.3/src/main.c.orig     Fri Aug  6 23:33:38 1999
++++ cfingerd-1.4.3/src/main.c  Wed Apr 11 18:55:43 2001
+@@ -242,7 +242,7 @@
+           if (!emulated) {
+               snprintf(syslog_str, sizeof(syslog_str), "%s fingered (internal) from %s", username,
+                   ident_user);
+-              syslog(LOG_NOTICE, (char *) syslog_str);
++              syslog(LOG_NOTICE, "%s", (char *) syslog_str);
+           }
+
+           handle_internal(username);
+@@ -255,7 +255,7 @@
+                   snprintf(syslog_str, sizeof(syslog_str), "%s fingered from %s",
+                       prog_config.p_strings[D_ROOT_FINGER], ident_user);
+
+-              syslog(LOG_NOTICE, (char *) syslog_str);
++              syslog(LOG_NOTICE, "%s", (char *) syslog_str);
+           }
+
+           handle_standard(username);
+@@ -265,7 +265,7 @@
+               snprintf(syslog_str, sizeof(syslog_str), "%s %s from %s", username,
+                   prog_config.p_strings[D_FAKE_USER], ident_user);
+
+-              syslog(LOG_NOTICE, (char *) syslog_str);
++              syslog(LOG_NOTICE, "%s", (char *) syslog_str);
+           }
+
+           handle_fakeuser(username);
+--- cfingerd-1.4.3/src/rfc1413.c.orig  Sun Aug 29 14:14:25 1999
++++ cfingerd-1.4.3/src/rfc1413.c       Wed Apr 11 18:53:45 2001
+@@ -98,7 +98,7 @@
+
+       if (*(++cp) == ' ') cp++;
+       memset(uname, 0, sizeof(uname));
+-      for (xp=uname; *cp != '\0' && *cp!='\r'&&*cp!='\n'&&strlen(uname)<sizeof(uname); cp++)
++      for (xp=uname; *cp != '\0' && *cp!='\r'&&*cp!='\n'&&(strlen(uname)+1)<sizeof(uname); cp++)
+           *(xp++) = *cp;
+
+       if (!strlen(uname)) {