Brief Description: The finger(1) daemon is vulnerable to a buffer overrun attack, which allows a network entity to connect to the fingerd(8) port and get a root shell.
Detailed Description: Fingerd is a daemon that responds to requests for a listing of current users, or specific information about a particular user. It reads its input from the network, and sends its output to the network. On many systems, it ran as the superuser or some other privileged user. The daemon, fingerd uses gets(3) to read the data from the client. As gets does no bounds checking on its argument, which is an array of 512 bytes and is allocated on the stack, a longer input message will overwrite the end of the stack, changing the return address. If the appropriate code is loaded into the buffer, that code can be executed with the privileges of the fingerd daemon.
Component(s): finger, fingerd
Version(s): Versions before Nov. 6, 1989.
Operating System(s): All flavors of the UNIX operating system.
Other Information: It can be accessed from any remote network.
Effects:You get the same access as the fingerd daemon.
Detecting the Vulnerability:
* Compare versions with those listed in "Vulnerable Systems." If it matches any of those, you are vulnerable.
* Connect to your fingerd daemon and type more than 528 (= 512 + 16) characters (any will do). If your daemon crashes or terminates the connection with no data sent back, you probably have the vulnerability.
* Check your fingerd source code for gets; the offending code is most likely gets(line). If you find this, you are vulnerable. (In the version we have, it's at line 40.)
Fixing the Vulnerability:
* Upgrade to a newer version.
* Disable fingerd. If you must run it, make it an anonymous user (like nobody; even then, a remote attacker can execute programs as that user on your system.
* Modify your source code, recompile, and reinstall. The modification is to change gets(line) to fgets(line, sizeof(line), stdin).
Keywords:fingerd, buffer overflow, gets, fgets, Internet worm
Attack Methods or Tools: Not provided.
Advisories and Other Alerts: Donn Seeley, "A Tour of the Worm", Computer Science Department, University of Utah, November 1988.
Related Vulnerabilities: None yet.
First Report We Know Of: by Jon Rochlis, Mark Eichen, date mailing lists, in Nov. 5, 1988
Revisions of Database Record
1. Omar Vanegas(Jul 21, 1998): Entered into DOVES.
2. Mike Dilger(original): Entered into original database.