[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

cfingerd: broken get_localhost, security implications

Package: cfingerd
Version: 1.4.1-1


about five weeks ago, I sent this report to security@debian.org
and the package maintainer but got no response yet. So I'll
submit it to the public BTS.

The get_localhost (util.c) function of cfingerd is broken:

    gethostname((char *) hostname, (size_t) 80);
    getdomainname((char *) domname, (size_t) 80);
    ret = (char *) malloc(strlen((char *) hostname) +
                          strlen((char *) domname) + 2);
    snprintf(ret, sizeof(ret), "%s.%s", (char *) hostname, (char *) domname);

sizeof(ret) is not the actual size of the string, but the static
size of (char *). Therefore usually only the first three characters
of the hostname are returned.

This has some security implications: if the name of the remote host
happens to start with the same three characters as the local host,
then the finger request is treated as a local request:

       if ( ....
            !strncasecmp(remote_addr, localhost, strlen(localhost))
            local_finger = TRUE;

This might unintentionally disclose local information to the remote

(BTW: It seems that getdomainname returns the NIS domainname)

Kind regards, Thomas

Reply to: