linux, säkerhet

8101334 2002-03-06 10:17 +0100  /70 rader/ Spybreak <spybreak@host.sk>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-06  18:22  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21298>
Ärende: efingerd remote buffer overflow and a dangerous feature
------------------------------------------------------------
From: "Spybreak" <spybreak@host.sk>
To: bugtraq@securityfocus.com
Message-ID: <20020306101731.M44013@host.sk>

Release : 6/3/2002
Author  : Spybreak (spybreak@host.sk)
Software: efingerd
Versions: 1.3, 1.6.1
Problems: Remote buffer overflow and a dangerous feature



Efingerd is a "finger daemon, giving you complete control over what
are    you going to display about your computer" as is written in the
man page.  However this is not completely true, as any local user can
(even unintentionally) expose more info than was originally intended
by an admin.

Debian Linux distributes versions 1.3 (stable) and 1.6.1 (unstable).

1.) Remote buffer overflow

In the stable version it is possible to remotely cause a buffer
overflow condition through an exploitation of a reverse-lookup part
of the code:


static char *lookup_addr (struct in_addr in)
{
        static char addr[100];
        struct hostent *he;

        if (resolve_addr) {
                he = gethostbyaddr ((char *)&in, sizeof(struct
in_addr),AF_INET);
                if (he == NULL)
                        strcpy(addr, inet_ntoa(in));
                else
                        strcpy(addr, he->h_name);
        }
        else
                strcpy (addr, inet_ntoa (in));

        return addr;
}


Usually efingerd runs as 'nobody'.


2.) The feature

But there is another security issue with efingerd (in both versions).
When some existing user is fingered, efingerd looks for a ".efingerd"
file in that user's home directory and if it does exist and it is
executable it tries to execute it - as 'nobody'. The .efingerd's
output is sent back to the fingerer.

So _whatever_ a local user puts in his .efingerd file, can be
executed under nobody UID/GID simply by fingering himself. So getting
a nobody/nobody shell is straighforward.  This can be very
interesting for a potential evildoer going to hide his identity
during some nasty actions, for example local DoS attacks.  As the
logfile is writable by the UID of efingerd, it can be easily
manipulated.

This feature can be turned off with the -u option.
(8101334) /Spybreak <spybreak@host.sk>/---(Ombruten)
Kommentar i text 8102907 av Michael Bacarella <mbac@netgraft.com>
8102907 2002-03-06 12:38 -0600  /83 rader/ Michael Bacarella <mbac@netgraft.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-07  00:02  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21305>
Kommentar till text 8101334 av Spybreak <spybreak@host.sk>
Ärende: Re: efingerd remote buffer overflow and a dangerous feature
------------------------------------------------------------
From: Michael Bacarella <mbac@netgraft.com>
To: bugtraq@securityfocus.com
Message-ID: <20020306123856.A2556@romulus.netgraft.com>

While I haven't viewed the code to efingerd, the author does
claim that it is based (indirectly) on ident2. I went through
great pains to make sure ident2 was secure which is why I feel
that I should comment.

ident2 is a pretty minimal, allegedly secure daemon which implements
the auth protocol.  Unless the sys admin has a special need, I highly
recommend that ident2 is run with the -r option which generates a
pseudo-random reply (and leaks no information about which server
processes run as which users).

Commenting on Spybreak's individual points:

On Wed, Mar 06, 2002 at 10:17:31AM +0100, Spybreak wrote:
> 1.) Remote buffer overflow
> 
> In the stable version it is possible to remotely cause a buffer overflow
> condition
> through an exploitation of a reverse-lookup part of the code:
> 
> 
> static char *lookup_addr (struct in_addr in)
> {
>         static char addr[100];
>         struct hostent *he;
> 
>         if (resolve_addr) {
>                 he = gethostbyaddr ((char *)&in, sizeof(struct
> in_addr),AF_INET);
>                 if (he == NULL)
>                         strcpy(addr, inet_ntoa(in));
>                 else
>                         strcpy(addr, he->h_name);
>         }
>         else
>                 strcpy (addr, inet_ntoa (in));
> 
>         return addr;
> }

Ident2 is not vulnerable to this exploit.

The code simply doesn't exist in ident2.
 
> Usually efingerd runs as 'nobody'.
> 
> 2.) The feature
> 
> But there is another security issue with efingerd (in both versions).
> When some existing user is fingered, efingerd looks for a ".efingerd" file
> in that user's home directory and if it does exist and it is executable it
> tries to execute it - as 'nobody'. The .efingerd's output is sent back to
> the fingerer.
> 
> So _whatever_ a local user puts in his .efingerd file, can be executed under
> nobody UID/GID simply by fingering himself. So getting a nobody/nobody shell
> is straighforward.
> This can be very interesting for a potential evildoer going to hide his
> identity during some nasty actions, for example local DoS attacks.
> As the logfile is writable by the UID of efingerd, it can be easily
> manipulated.
> 
> This feature can be turned off with the -u option.

Ident2 has a similar feature, but is not vulnerable to this attack.

If the -i option has been specified, and the file .ident exists in
the user's home directory, ident2 will substitute the user's supplied
ident. Under no circumstance will it attempt to execute the file.

The user specified reply will also be ignored unless it's
preceded by "ident ".

-- 
Michael Bacarella              | 545 Eighth Ave #401
                               | New York, NY 10018
Systems Analysis & Support     | mike@bacarella.com
Managed Services               | 212 946-1038
(8102907) /Michael Bacarella <mbac@netgraft.com>/(Ombruten)