• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: cfingerd Format String Vulnerability

Severity: CRITICAL

Description:

cfingerd, or "Configurable Finger Daemon", is a replacement for familiar UNIX finger daemons such as GNU and MIT fingerd.

A key feature of cfingerd is that it logs remote access by adding a line to syslog containing the remote username and hostname of clients who connect to it. cfingerd gathers the remote username by querying the identd port of the client machine.

The facility by which cfingerd appends an entry to the syslog is through the syslog () C library function. syslog () provides for formatted output by making a sprintf () call.

cfingerd blindly passes usernames it gathers from clients as the format argument to syslog, opening it to format-string attacks.

cfingerd also contains a NULL-byte overflow between the username string and identd response string on the stack, creating the possibility for up to 183 bytes of shellcode [1]. This is taken advantage of in the exploit below.

Because cfingerd runs as root, a well-formed format string and shell code could buy an attacker complete control of the cfingerd host as root.

[1]
The format returned by an identd host is similar to:
portinfo : UNIX : USERID : username

Because cfingerd contains a single NULL-byte overflow, the username and portinfo fields can be combined to form a continuous string that is passed to syslog as the remote username.

The format for the syslog output is as follows:
X fingered from Y@Z
Where X is the user that was fingered, Y is the remote username and Z is the remote hostname.

cfingerd caps its syslog output at 200 (199 + NULL) bytes. assuming X is one byte in length, 199 - strlen ("X fingered from ") = 183 characters.

Affected Products:

• Debian Linux 2.2.0
• Debian Linux 2.2.0 r1
• Debian Linux 2.2.0 r2
• Infodrom cfingerd 1.4.0 .0
• Infodrom cfingerd 1.4.0 .1
• Infodrom cfingerd 1.4.0 .2
• Infodrom cfingerd 1.4.0 .3
• Progeny Debian 1.0.0

References:

• Infodrom: cfingerd Project

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.