cfingerd: broken get_localhost, security implications
Package: cfingerd
Version: 1.4.1-1
Hi,
about five weeks ago, I sent this report to security@debian.org
and the package maintainer but got no response yet. So I'll
submit it to the public BTS.
The get_localhost (util.c) function of cfingerd is broken:
<code_snipplet>
gethostname((char *) hostname, (size_t) 80);
getdomainname((char *) domname, (size_t) 80);
ret = (char *) malloc(strlen((char *) hostname) +
strlen((char *) domname) + 2);
snprintf(ret, sizeof(ret), "%s.%s", (char *) hostname, (char *) domname);
return(ret);
</code_snipplet>
sizeof(ret) is not the actual size of the string, but the static
size of (char *). Therefore usually only the first three characters
of the hostname are returned.
This has some security implications: if the name of the remote host
happens to start with the same three characters as the local host,
then the finger request is treated as a local request:
if ( ....
!strncasecmp(remote_addr, localhost, strlen(localhost))
local_finger = TRUE;
This might unintentionally disclose local information to the remote
site.
(BTW: It seems that getdomainname returns the NIS domainname)
Kind regards, Thomas
Reply to: