Subject:      cfingerd 1.3.2
To: BUGTRAQ@netspace.org 


Hi,


        there is a remote buffer over flow in cfingerd 1.3.2
        in search_fake():


int search_fake(char *username)
{
    char parsed[80];


    bzero(parsed, 80);
    sscanf(username, "%[^.].%*[^\r\n]\r\n", parsed);
...



called from process_username(), that is called from main:


int main(int argc, char *argv[])
{
    char username[100], syslog_str[200];
...


    if (!emulated) {
        if (!fgets(username, sizeof(username), stdin)) {


...
    /* Check the finger information coming in and return its type */
    un_type = process_username(username);



        see parsed[80] and username[100].
        Anyway search_illegal() is called before than search_fake()
        so only [A-z0-9] and many other char can be used in oreder to
        execute arbitrary code.


        Debian is not vulnerable because a patch fix this and other
        cfingerd weakness (i think it's an example of bad coding)
        but searching in bugtraq archive i haven't found anything.


        I take opportunity to inform that i'm developing a
        secure (i hope) finger daemon: mayfingerd. In order to
        make mayfingerd more portable i need some unprivileged
        account in hosts running *BSD, Solaris, AIX etc. Bugtraq
        readers can help me?


        I hope it will be released together with hping2 the
        next month.


        Sorry for my bad english forever :)


have a good summer,
antirez


--
Salvatore Sanfilippo antirez | md5330@mclink.it | antirez@alicom.com
try hping: http://www.kyuzz.org/antirez           antirez@seclab.com