cfingerd vulnerabilities
Created 4/20/01
CAN 2001-0609
Impact
If this vulnerability is present, a remote attacker could
execute arbitrary commands with the privileges of the
cfingerd server, which is typically root.
Background
The finger service provides information about users on a system, such
as account names, real-life user names, and the time and place
of a user's last login.
The Configurable Finger Daemon
(cfingerd) is a replacement for the standard
finger service which provides additional configuration
options and other enhancements.
The Problem
A format string vulnerability in cfingerd
could allow a remote attacker to execute arbitrary code
by submitting a query for a long, specially-crafted
user name.
cfingerd version 1.4.3 and earlier are
susceptible to this attack if unpatched. Later versions
might also be vulnerable.
Resolution
It is unknown at the time of this writing whether
future versions of cfingerd will contain
a fix. To ensure that your version is fixed, you
will need to examine the source code, and recompile
it if necessary.
Start by downloading the latest distribution of the
source code.
Then in source/main.c, change all three
instances of the line:
syslog(LOG_NOTICE, (char *) syslog_str);
to:
syslog(LOG_NOTICE, "%s", (char *) syslog_str);
Follow the instructions in the source code distribution
for compiling and re-installing the server.
Where can I read more about this?
This vulnerability was posted to
Bugtraq.