Title: PFinger Format String Vulnerability
Severity: HIGH
Description:
PFinger is a daemon for the standard finger protocol. It also includes support for the PIP protocol. The PFinger daemon runs as the 'nobody' user in the default installation. PFinger includes a graphical finger client.
A vulnerability exists in both the server and the client. Finger data associated with a user is passed into a printf call as a format string. Format string modifiers may be included in this data, possibly leading to the execution of arbitrary code. This information can generally be trivially modified by a malicious user by, for example, including it in their .plan file.
It is possible to exploit this vulnerability in both the PFinger server and the client. PFinger daemons may be configured to consult a master server for finger information. Finger information provided by the master server is then passed to printf by the slave server. Exploitation of this vulnerability on the server level could lead to local access as the 'nobody' user. From this point, further elevation of privileges may be possible through the user of local exploits.
Similarily, a user of the graphical client may be enticed into fingering a malicious user. Format string commands may then be executed as the vulnerable user, again leading to a local account compromise.
Affected Products:
- PFinger PFinger 0.7.5
- PFinger PFinger 0.7.6
- PFinger PFinger 0.7.7
References:
- PFinger: PFinger Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
