Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   efFingerD Vendors:   Eightfifteen Studios
efFingerD Buffer Overflow in sockFinger_DataArrival() Lets Remote Users Crash the Daemon
SecurityTracker Alert ID:  1010094
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 7 2004
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 0.2.12
Description:   A buffer overflow vulnerability was reported in efFingerD. A remote user can cause the service to crash.

dr_insane reported that a remote user can send a finger command with 180 characters to cause the target service to crash. The flaw reportedly resides in the sockFinger_DataArrival() function.

Impact:   A remote user can cause the daemon to crash.
Solution:   No vendor solution was available at the time of this entry.

The author of the report has provided an unofficial fix, available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  efFingerD 0.2.12 Buffer overflow

Security  :: Advisory  - efFingerD 0.2.12 Buffer overflow


efFingerD 0.2.12


efFingerD is a simple open source finger daemon. By looking a little bit at the code i 
identified one
buffer overflow condition. By sending as an argument to the finger command 180 characters 
the daemon will crash.The
problem exists in sockFinger_DataArrival function.

Dim sData As String

sockFinger(Index).GetData sData, vbString
sData = Trim(Replace(sData, vbCrLf, ""))

If Len(sData) > 0 Then

    If sData = ".version" Then
       sockSend Index, Replace(Localize(0), "$VERSION$", App.Major & "." & App.Minor & "." 
& App.Revision)

    ElseIf Mid(sData, 1, 1) = "." Then
       sockSend Index, Replace(Localize(1), "$QUERY$", sData)

       Dim sFilename As String
       sFilename = App.Path & "\users\" & sData
       If Len(Dir(sFilename & ".log")) > 0 Then           <------- buffer overflow 1
          ' Global Header (company, version, etc...)
          If Len(Dir(App.Path & "\global.hdr")) > 0 Then
             sockFileContents Index, App.Path & "\global.hdr"
             sockSend Index, ""
          End If
          ' User Header (real name, email, project, etc...)
          If Len(Dir(sFilename & ".hdr")) > 0 Then
             sockFileContents Index, sFilename & ".hdr"
             sockSend Index, "-----"
          End If
          ' User Plan:
          sockFileContents Index, sFilename & ".log"
          ' End of Send
          sockSend Index, "-----"
          sockSend Index, Localize(3)
          sockSend Index, Replace(Localize(2), "$QUERY$", sData)
       End If

    End If


End If

I wrote a simple patch for efFingerD. Get the source code from:
If you want the patched binary:



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC