SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   efFingerD Vendors:   Eightfifteen Studios
efFingerD Buffer Overflow in sockFinger_DataArrival() Lets Remote Users Crash the Daemon
SecurityTracker Alert ID:  1010094
SecurityTracker URL:  http://securitytracker.com/id/1010094
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 7 2004
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 0.2.12
Description:   A buffer overflow vulnerability was reported in efFingerD. A remote user can cause the service to crash.

dr_insane reported that a remote user can send a finger command with 180 characters to cause the target service to crash. The flaw reportedly resides in the sockFinger_DataArrival() function.

Impact:   A remote user can cause the daemon to crash.
Solution:   No vendor solution was available at the time of this entry.

The author of the report has provided an unofficial fix, available at:

http://members.lycos.co.uk/r34ct/main/fixes/effingerd/source/
http://members.lycos.co.uk/r34ct/main/fixes/effingerd/binary/

Vendor URL:  sourceforge.net/projects/effingerd/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  efFingerD 0.2.12 Buffer overflow


Security  :: Advisory  - efFingerD 0.2.12 Buffer overflow


homepage:
---------
https://sourceforge.net/projects/effingerd/

vulnerable:
-----------
efFingerD 0.2.12

Impact
------
Medium


Details
--------
efFingerD is a simple open source finger daemon. By looking a little bit at the code i 
identified one
buffer overflow condition. By sending as an argument to the finger command 180 characters 
the daemon will crash.The
problem exists in sockFinger_DataArrival function.

-------snip----------
Dim sData As String

sockFinger(Index).GetData sData, vbString
sData = Trim(Replace(sData, vbCrLf, ""))


If Len(sData) > 0 Then

    If sData = ".version" Then
       sockSend Index, Replace(Localize(0), "$VERSION$", App.Major & "." & App.Minor & "." 
& App.Revision)

    ElseIf Mid(sData, 1, 1) = "." Then
       sockSend Index, Replace(Localize(1), "$QUERY$", sData)

    Else
       Dim sFilename As String
       sFilename = App.Path & "\users\" & sData
       If Len(Dir(sFilename & ".log")) > 0 Then           <------- buffer overflow 1
          ' Global Header (company, version, etc...)
          If Len(Dir(App.Path & "\global.hdr")) > 0 Then
             sockFileContents Index, App.Path & "\global.hdr"
             sockSend Index, ""
          End If
          ' User Header (real name, email, project, etc...)
          If Len(Dir(sFilename & ".hdr")) > 0 Then
             sockFileContents Index, sFilename & ".hdr"
             sockSend Index, "-----"
          End If
          ' User Plan:
          sockFileContents Index, sFilename & ".log"
          ' End of Send
          sockSend Index, "-----"
          sockSend Index, Localize(3)
       Else
          sockSend Index, Replace(Localize(2), "$QUERY$", sData)
       End If

    End If

    sockFinger(Index).Close

End If
------snip-------------



fix/workaround:
---------------
I wrote a simple patch for efFingerD. Get the source code from:
http://members.lycos.co.uk/r34ct/main/fixes/effingerd/source/
If you want the patched binary:
http://members.lycos.co.uk/r34ct/main/fixes/effingerd/binary/



credit:
------
dr_insane@pathfinder.gr
http://members.lycos.co.uk/r34ct/




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC