Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: Apps A-M :: lnx5169.htm

efingerd remote buffer overflow
7th Mar 2002 [SBWID-5169]

	efingerd remote buffer overflow


	efingerd 1.3, 1.6.1


	Spybreak [] posted :

	1.) Remote buffer overflow

	In the stable version (debian 1.3) it is possible to  remotely  cause  a
	buffer overflow condition through an exploitation  of  a  reverse-lookup
	part of the code:

	static char *lookup_addr (struct in_addr in)


	        static char addr[100];

	        struct hostent *he;


	        if (resolve_addr) {

	                he = gethostbyaddr ((char *)&in, sizeof(struct


	                if (he == NULL)

	                        strcpy(addr, inet_ntoa(in));


	                        strcpy(addr, he->h_name);



	                strcpy (addr, inet_ntoa (in));


	        return addr;



	Usually efingerd runs as \'nobody\'.


	2.) The feature

	But there is another security issue with efingerd.  When  some  existing
	user is fingered, efingerd  looks  for  a  \".efingerd\"  file  in  that
	user\'s home directory and if it does exist  and  it  is  executable  it
	tries to execute it - as \'nobody\'. The  .efingerd\'s  output  is  sent
	back to the fingerer.

	So _whatever_ a local user puts in his .efingerd file, can  be  executed
	under  nobody  UID/GID  simply  by  fingering  himself.  So  getting   a
	nobody/nobody shell is straighforward. This can be very interesting  for
	a potential evildoer going  to  hide  his  identity  during  some  nasty
	actions, for example local DoS attacks. As the logfile  is  writable  by
	the UID of efingerd, it can be easily manipulated.

	This feature can be turned off with the -u option.


	Try ident2

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH