Vulnerabilities > CVE-2001-0609 - Off-by-one Error vulnerability in Infodrom Cfingerd

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
infodrom
CWE-193
critical
nessus
exploit available

Summary

Format string vulnerability in Infodrom cfingerd 1.4.3 and earlier allows a remote attacker to gain additional privileges via a malformed ident reply that is passed to the syslog function.

Common Weakness Enumeration (CWE)

Exploit-Db

  • descriptioncfingerd 1.4 Format String Vulnerability (1). CVE-2001-0609. Remote exploit for linux platform
    idEDB-ID:20748
    last seen2016-02-02
    modified2001-04-11
    published2001-04-11
    reporterLez
    sourcehttps://www.exploit-db.com/download/20748/
    titlecfingerd 1.4 Format String Vulnerability 1
  • descriptioncfingerd 1.4 Format String Vulnerability (2). CVE-2001-0609. Remote exploit for linux platform
    idEDB-ID:20749
    last seen2016-02-02
    modified2001-04-16
    published2001-04-16
    reporterVeNoMouS
    sourcehttps://www.exploit-db.com/download/20749/
    titlecfingerd 1.4 Format String Vulnerability 2

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-049.NASL
    descriptionMegyer Laszlo report on Bugtraq that the cfingerd daemon as distributed with Debian GNU/Linux 2.2 was not careful in its logging code. By combining this with an off-by-one error in the code that copied the username from an ident response cfingerd could be exploited by a remote user. Since cfingerd does not drop its root privileges until after it has determined which user to finger an attacker can gain root privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id14886
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14886
    titleDebian DSA-049-1 : cfingerd
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-049. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14886);
      script_version("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:16");
    
      script_cve_id("CVE-2001-0609");
      script_bugtraq_id(2576);
      script_xref(name:"DSA", value:"049");
    
      script_name(english:"Debian DSA-049-1 : cfingerd");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Megyer Laszlo report on Bugtraq that the cfingerd daemon as
     distributed with Debian GNU/Linux 2.2 was not careful in its logging
     code. By combining this with an off-by-one error in the code that
     copied the username from an ident response cfingerd could be
     exploited by a remote user. Since cfingerd does not drop its root
     privileges until after it has determined which user to finger an
     attacker can gain root privileges."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2001/dsa-049"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "This has been fixed in version 1.4.1-1.1, and we recommend that you
    upgrade your cfingerd package immediately.
    
    Note: this advisory was previously posted as DSA-048-1 by mistake."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cfingerd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2001/04/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"2.2", prefix:"cfingerd", reference:"1.4.1-1.1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMisc.
    NASL idCFINGER_FORMAT_BUG.NASL
    descriptionThe version of cfingerd running on the remote host has multiple vulnerabilities, including : - A local buffer overflow in the GECOS field, which can be used to escalate privileges. - A format string vulnerability, triggered by a malformed ident reply. This can be used to execute arbitrary code. - A local privilege escalation issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id10652
    published2001-04-16
    reporterThis script is Copyright (C) 2001-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/10652
    titlecfingerd < 1.4.4 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if(description)
    {
     script_id(10652);
     script_version ("1.27");
     script_cve_id("CVE-1999-0243", "CVE-1999-0708", "CVE-2001-0609");
     script_bugtraq_id(2576, 651);
    
     script_name(english:"cfingerd < 1.4.4 Multiple Vulnerabilities");
     script_summary(english:"Checks the cfinger version");
     
     script_set_attribute(
       attribute:"synopsis",
       value:"The remote finger service has multiple vulnerabilities."
     );
     script_set_attribute( attribute:"description", value:
    "The version of cfingerd running on the remote host has multiple
    vulnerabilities, including :
    
      - A local buffer overflow in the GECOS field, which can be used to
        escalate privileges.
      - A format string vulnerability, triggered by a malformed ident
        reply.  This can be used to execute arbitrary code.
      - A local privilege escalation issue." );
     script_set_attribute(
       attribute:"see_also",
       value:"https://seclists.org/bugtraq/1999/Sep/326"
     );
     # https://web.archive.org/web/20010725012119/http://archives.neohapsis.com/archives/vendor/2001-q2/0009.html
     script_set_attribute(
       attribute:"see_also",
       value:"http://www.nessus.org/u?f2f0892c"
     );
     script_set_attribute(
       attribute:"solution", 
       value:"Upgrade to cfingerd version 1.4.4 or later."
     );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"plugin_publication_date", value: "2001/04/16");
     script_set_attribute(attribute:"vuln_publication_date", value: "1996/09/19");
     script_cvs_date("Date: 2018/11/15 20:50:23");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_family(english:"Misc."); 
     script_copyright(english:"This script is Copyright (C) 2001-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
     script_dependencie("find_service1.nasl", 
     		     "cfinger_version.nasl");
     script_require_keys("cfingerd/version");
     exit(0);
    }
    
    #
    # The script code starts here
    #
    
    port = get_kb_item("Services/finger");
    if(!port)port = 79;
    
    version = get_kb_item("cfingerd/version");
    if(version)
    {
     if(ereg(pattern:"[0-1]\.(([0-3]\.[0-9]*)|(4\.[0-3]))",
     	string:version))security_hole(port);
    }