cfingerd: broken get_localhost, security implications

To: submit@bugs.debian.org
Cc: debian-security@lists.debian.org
Subject: cfingerd: broken get_localhost, security implications
From: "Thomas Gebhardt" <gebhardt@HRZ.Uni-Marburg.DE>
Date: Mon, 13 Nov 2000 13:57:20 +0100
Message-id: <[🔎] 200011131257.NAA25291@pcrz175.HRZ.Uni-Marburg.DE>

Package: cfingerd
Version: 1.4.1-1

Hi,

about five weeks ago, I sent this report to security@debian.org
and the package maintainer but got no response yet. So I'll
submit it to the public BTS.

The get_localhost (util.c) function of cfingerd is broken:

<code_snipplet>
    gethostname((char *) hostname, (size_t) 80);
    getdomainname((char *) domname, (size_t) 80);
 
    ret = (char *) malloc(strlen((char *) hostname) +
                          strlen((char *) domname) + 2);
 
    snprintf(ret, sizeof(ret), "%s.%s", (char *) hostname, (char *) domname);
    return(ret);
</code_snipplet>

sizeof(ret) is not the actual size of the string, but the static
size of (char *). Therefore usually only the first three characters
of the hostname are returned.

This has some security implications: if the name of the remote host
happens to start with the same three characters as the local host,
then the finger request is treated as a local request:

       if ( ....
            !strncasecmp(remote_addr, localhost, strlen(localhost))
            local_finger = TRUE;

This might unintentionally disclose local information to the remote
site.

(BTW: It seems that getdomainname returns the NIS domainname)

Kind regards, Thomas

Reply to:

Prev by Date: Re: 'Generic' Firewall Rulesets?
Next by Date: debian
Previous by thread: Re: [suse-security] gs read shared libraries from working directory ??
Next by thread: debian
Index(es):
- Date
- Thread