git.pld-linux.org Git - packages/cfingerd.git/commit

author	kloczek <kloczek@pld-linux.org>
	Fri, 13 Apr 2001 07:08:25 +0000 (07:08 +0000)
committer	cvs2git <feedback@pld-linux.org>
	Sun, 24 Jun 2012 12:13:13 +0000 (12:13 +0000)
commit	0e04792fbbb845baff8d20ee04310c3ad229e175
tree	f56adcb2ea661b4d1df656295dfadc78e58f3f9f	tree \| snapshot
parent	e9a6f6b47f911616f8dddacc9ada1202ad56c8e3	commit \| diff

From BUGTRAQ announce (by Megyer Laszlo <abulla@FREEMAIL.HU>):

Following the recent habits, I break the advisory into 4 parts:

OVERVIEW:
---------
  There is a critical bug in cfingerd daemon <= 1.4.3, (a classic format
bug)
that makes possible to acquire full control over the remote machine if it
runs
the cfingerd program, the configurable and secure finger daemon.
  In 3 words: REMOTE ROOT VULNERABILITY

DESCRIPTION:
------------
The bug occurs in main.c, line 245, 258 and 268:
<------         syslog(LOG_NOTICE, (char *) syslog_str);
We can control the syslog_str with our ident user, that goes directly to
the secont parameter of syslog(). Using %n and some tricks, we can overwrite
anything in the daemon's memory, including the saved eip register.
  The more or less proper usage of syslog this time is here:
  ------>            syslog(LOG_NOTICE, "%s", (char *) syslog_str);
There are many papers about format bugs, so I don't write detailed infos
about it.

Changed files:
    cfingerd-security_format_bug.patch -> 1.1