80286 – net-misc/netkit-fingerd dumps core -- possible arbitrary memory access ?

Bug 80286 - net-misc/netkit-fingerd dumps core -- possible arbitrary memory access ?

Summary: net-misc/netkit-fingerd dumps core -- possible arbitrary memory access ?

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Server (show other bugs)
Hardware:	All All

Importance:	High minor (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-01-31 20:49 UTC by Andreas Kling
Modified:	2006-11-10 23:49 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Patch that fixes problem (bsd-finger-0.17-uninitialized-realname.patch,761 bytes, patch) 2005-01-31 20:53 UTC, Andreas Kling	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Kling 2005-01-31 20:49:55 UTC

netkit-fingerd's 'finger' dumps core if a fingered user is without a "full name" and is preceded by a user with a very large GECOS field in /etc/passwd (or NIS).

The problem is that finger prints the user's "full name" even if he doesn't have one. This is normally fine, since we just get a "(null)" label, but when the user's "full name" is never properly initialized, it's possible to manually insert a value into the "full name" pointer by tweaking any GECOS field occuring before it in passwd/NIS.

This isn't really interesting unless you are talking to finger through fingerd running as another user, usually 'nobody', but sometimes root.

Reproducible: Always
Steps to Reproduce:
# useradd -c `perl -e "print 'A' x 1024;"` test1
# useradd -c "" test2
# finger test2
Segmentation fault

Comment 1 Andreas Kling 2005-01-31 20:53:11 UTC

Created attachment 50097 [details, diff]
Patch that fixes problem

This patch sets users' "full name" fields to NULL unless a full name is found.
It also replaces NULL "full name" fields with "" when printing.

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2005-02-02 02:17:10 UTC

This is really minor, not sure of the security implication.
If one of our scouts could doublecheck that one... (vulnerability and patch)

Comment 3 Andreas Kling 2005-02-02 03:16:16 UTC

Allow me to expand on the memory access part ;)

In certain cases, finger ends up re-using memory for a "person" structure containing the "full name" pointer. By inserting an appropriate value in an oversized GECOS field, you can overwrite this pointer, making finger print a null-terminated string from any memory location available to the program.

Like so:

# nm finger | grep copyright
0804c260 D copyright
# useradd -c `perl -e 'print "A"x32, "\x60\xc2\x04\x08", "A"x500;'` test1
# useradd -c "" test2
# finger test2@localhost
[localhost]
Login: test2                            Name: @(#) Copyright (c) 1989 The Regents of the University of California.
All rights reserved.

As you said, this is very minor, and cannot even be done by a regular user using 'chfn' since it limits the length of GECOS contents.

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2005-02-02 04:47:22 UTC

Thanks for the clarification.

If it requires root access to enter appropriate GECOS fields, then we'll discard it as a non-security issue. This is a bug alright and should be fixed, but not by us.

noherd -> bug-wranglers ?

Comment 5 SpanKY gentoo-dev

2006-11-10 23:49:21 UTC

fixed in netkit-fingerd-0.17-r3