Buffer Overflow in fingerd

vendor:

fingerd

by:

Unknown

7.5

CVSS

HIGH

Buffer Overflow

121

CWE

Product Name: fingerd

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE: Unknown

CPE: a:unknown:fingerd

Metasploit:

Other Scripts:

Platforms Tested: Unknown

Unknown

There exists a buffer overflow in fingerd that allows a remote attacker to execute any local binaries.

Mitigation:

The recommended mitigation for this vulnerability is to apply the latest patch or update from the vendor.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/2/info

fingerd is a remote user information server that implements
the protocol defined in RFC742. There exists a buffer
overflow in finderd that allows a remote attacker to execute
any local binaries. 

finderd reads input from its socket using the gets()
standard C library call passing it a 512-byte automatic
buffer allocated in main(). gets() reads the input and 
stores it into the buffer without performing any bounds 
checking. This results in a standard stack buffer 
overflow when main() return.


The Internet Worm used a string of 536 bytes to
overflow the input buffer of fingerd on the VAX. The
VAX machine code it used was:

pushl $68732f 'sh\0'
pushl $6e69622f '/bin'
movl sp, r10
pushl $0
pushl $0
pushl r10
pushl $3
movl sp, ap
chmk $3b

This code executed execve("/bin/sh", 0, 0).