netkit-fingerd's 'finger' dumps core if a fingered user is without a "full name" and is preceded by a user with a very large GECOS field in /etc/passwd (or NIS). The problem is that finger prints the user's "full name" even if he doesn't have one. This is normally fine, since we just get a "(null)" label, but when the user's "full name" is never properly initialized, it's possible to manually insert a value into the "full name" pointer by tweaking any GECOS field occuring before it in passwd/NIS. This isn't really interesting unless you are talking to finger through fingerd running as another user, usually 'nobody', but sometimes root. Reproducible: Always Steps to Reproduce: # useradd -c `perl -e "print 'A' x 1024;"` test1 # useradd -c "" test2 # finger test2 Segmentation fault
Created attachment 50097 [details, diff] Patch that fixes problem This patch sets users' "full name" fields to NULL unless a full name is found. It also replaces NULL "full name" fields with "" when printing.
This is really minor, not sure of the security implication. If one of our scouts could doublecheck that one... (vulnerability and patch)
Allow me to expand on the memory access part ;) In certain cases, finger ends up re-using memory for a "person" structure containing the "full name" pointer. By inserting an appropriate value in an oversized GECOS field, you can overwrite this pointer, making finger print a null-terminated string from any memory location available to the program. Like so: # nm finger | grep copyright 0804c260 D copyright # useradd -c `perl -e 'print "A"x32, "\x60\xc2\x04\x08", "A"x500;'` test1 # useradd -c "" test2 # finger test2@localhost [localhost] Login: test2 Name: @(#) Copyright (c) 1989 The Regents of the University of California. All rights reserved. As you said, this is very minor, and cannot even be done by a regular user using 'chfn' since it limits the length of GECOS contents.
Thanks for the clarification. If it requires root access to enter appropriate GECOS fields, then we'll discard it as a non-security issue. This is a bug alright and should be fixed, but not by us. noherd -> bug-wranglers ?
fixed in netkit-fingerd-0.17-r3