Date: Thu, 02 Sep 1999 12:50:11 +0900 From: Yoshihiro Koya <Yoshihiro.Koya@math.yokohama-cu.ac.jp> To: FreeBSD-gnats-submit@freebsd.org Cc: koya@math.yokohama-cu.ac.jp Subject: bin/13535: Finger bug: possible stack overflow Message-ID: <19990902125011W.koya@math.yokohama-cu.ac.jp>
index | next in thread | raw e-mail
>Number: 13535
>Category: bin
>Synopsis: A scurity bug of finger
>Confidential: yes
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Sep 1 20:50:01 PDT 1999
>Closed-Date:
>Last-Modified:
>Originator: Yoshihiro Koya
>Release: FreeBSD 2.2.8-RELEASE i386
>Organization:
>Environment:
Finger of "Id: finger.c,v 1.9.2.3 1998/03/08 09:08:00 jkh Exp"
(However, the source in the current CVS repository has a similar
problem. The ALL version of finger might have same problem.)
>Description:
When the finger program prints user information of a system, it refers
the gecos field of passwd database. The length of the gecos field may
be allowed up to 2048 bytes. On the other hand, almost all buffer of
the finger program has only 1024 bytes.
The "amphersand problem" of finger in the current CVS repository has
been already fixed. However, even it has the problem described above.
>How-To-Repeat:
By using chpass programm, change the gecos field of a some user as
follows:
>#Changing user database information for someuser
>Shell: /bin/csh
>Full Name: xxxxxxxxxxxxxxxxx... ( put here 1500 times x, for example )
>Location:
>Office Phone:
>Home Phone:
>Other information:
and, type
host% finger root
or
host% finger root@localhost
if fingerd is available on your system. Then, the finger will catch
signal 10 or 11.
In the latter, it's also possible to execute any commands by using
this under the privilege of "nobody" (It's dangerous under the system
running squid).
>Fix:
Apply the patch below:
----------------------------------------------------------------------
diff -c /usr/src/usr.bin/finger/extern.h /home/koya/labo/finger/extern.h
*** /usr/src/usr.bin/finger/extern.h Thu Jul 3 16:12:37 1997
--- /home/koya/labo/finger/extern.h Thu Sep 2 12:15:18 1999
***************
*** 33,39 ****
* @(#)extern.h 8.1 (Berkeley) 6/6/93
*/
! extern char tbuf[1024]; /* Temp buffer for anybody. */
extern int entries; /* Number of people. */
extern DB *db; /* Database. */
--- 33,39 ----
* @(#)extern.h 8.1 (Berkeley) 6/6/93
*/
! extern char tbuf[LINE_MAX]; /* Temp buffer for anybody. */
extern int entries; /* Number of people. */
extern DB *db; /* Database. */
diff -c /usr/src/usr.bin/finger/finger.c /home/koya/labo/finger/finger.c
*** /usr/src/usr.bin/finger/finger.c Sun Mar 8 18:08:00 1998
--- /home/koya/labo/finger/finger.c Thu Sep 2 12:15:40 1999
***************
*** 94,100 ****
DB *db;
time_t now;
int entries, lflag, mflag, pplan, sflag, oflag, Tflag;
! char tbuf[1024];
static void loginlist __P((void));
static void usage __P((void));
--- 94,100 ----
DB *db;
time_t now;
int entries, lflag, mflag, pplan, sflag, oflag, Tflag;
! char tbuf[LINE_MAX];
static void loginlist __P((void));
static void usage __P((void));
diff -c /usr/src/usr.bin/finger/util.c /home/koya/labo/finger/util.c
*** /usr/src/usr.bin/finger/util.c Sun Mar 8 18:08:20 1998
--- /home/koya/labo/finger/util.c Thu Sep 2 12:14:59 1999
***************
*** 70,76 ****
char *user;
{
register char *p, *t;
! char name[1024];
if (!strcasecmp(pw->pw_name, user))
return(1);
--- 70,76 ----
char *user;
{
register char *p, *t;
! char name[LINE_MAX];
if (!strcasecmp(pw->pw_name, user))
return(1);
***************
*** 335,341 ****
register struct passwd *pw;
{
register char *p, *t;
! char *bp, name[1024];
struct stat sb;
pn->realname = pn->office = pn->officephone = pn->homephone = NULL;
--- 335,341 ----
register struct passwd *pw;
{
register char *p, *t;
! char *bp, name[LINE_MAX];
struct stat sb;
pn->realname = pn->office = pn->officephone = pn->homephone = NULL;
----------------------------------------------------------------------
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990902125011W.koya>