Vulnerabilities > CVE-2001-0609 - Off-by-one Error vulnerability in Infodrom Cfingerd
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Format string vulnerability in Infodrom cfingerd 1.4.3 and earlier allows a remote attacker to gain additional privileges via a malformed ident reply that is passed to the syslog function.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
description cfingerd 1.4 Format String Vulnerability (1). CVE-2001-0609. Remote exploit for linux platform id EDB-ID:20748 last seen 2016-02-02 modified 2001-04-11 published 2001-04-11 reporter Lez source https://www.exploit-db.com/download/20748/ title cfingerd 1.4 Format String Vulnerability 1 description cfingerd 1.4 Format String Vulnerability (2). CVE-2001-0609. Remote exploit for linux platform id EDB-ID:20749 last seen 2016-02-02 modified 2001-04-16 published 2001-04-16 reporter VeNoMouS source https://www.exploit-db.com/download/20749/ title cfingerd 1.4 Format String Vulnerability 2
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-049.NASL description Megyer Laszlo report on Bugtraq that the cfingerd daemon as distributed with Debian GNU/Linux 2.2 was not careful in its logging code. By combining this with an off-by-one error in the code that copied the username from an ident response cfingerd could be exploited by a remote user. Since cfingerd does not drop its root privileges until after it has determined which user to finger an attacker can gain root privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 14886 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14886 title Debian DSA-049-1 : cfingerd code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-049. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(14886); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:16"); script_cve_id("CVE-2001-0609"); script_bugtraq_id(2576); script_xref(name:"DSA", value:"049"); script_name(english:"Debian DSA-049-1 : cfingerd"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Megyer Laszlo report on Bugtraq that the cfingerd daemon as distributed with Debian GNU/Linux 2.2 was not careful in its logging code. By combining this with an off-by-one error in the code that copied the username from an ident response cfingerd could be exploited by a remote user. Since cfingerd does not drop its root privileges until after it has determined which user to finger an attacker can gain root privileges." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2001/dsa-049" ); script_set_attribute( attribute:"solution", value: "This has been fixed in version 1.4.1-1.1, and we recommend that you upgrade your cfingerd package immediately. Note: this advisory was previously posted as DSA-048-1 by mistake." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cfingerd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2"); script_set_attribute(attribute:"patch_publication_date", value:"2001/04/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"2.2", prefix:"cfingerd", reference:"1.4.1-1.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Misc. NASL id CFINGER_FORMAT_BUG.NASL description The version of cfingerd running on the remote host has multiple vulnerabilities, including : - A local buffer overflow in the GECOS field, which can be used to escalate privileges. - A format string vulnerability, triggered by a malformed ident reply. This can be used to execute arbitrary code. - A local privilege escalation issue. last seen 2020-06-01 modified 2020-06-02 plugin id 10652 published 2001-04-16 reporter This script is Copyright (C) 2001-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/10652 title cfingerd < 1.4.4 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(10652); script_version ("1.27"); script_cve_id("CVE-1999-0243", "CVE-1999-0708", "CVE-2001-0609"); script_bugtraq_id(2576, 651); script_name(english:"cfingerd < 1.4.4 Multiple Vulnerabilities"); script_summary(english:"Checks the cfinger version"); script_set_attribute( attribute:"synopsis", value:"The remote finger service has multiple vulnerabilities." ); script_set_attribute( attribute:"description", value: "The version of cfingerd running on the remote host has multiple vulnerabilities, including : - A local buffer overflow in the GECOS field, which can be used to escalate privileges. - A format string vulnerability, triggered by a malformed ident reply. This can be used to execute arbitrary code. - A local privilege escalation issue." ); script_set_attribute( attribute:"see_also", value:"https://seclists.org/bugtraq/1999/Sep/326" ); # https://web.archive.org/web/20010725012119/http://archives.neohapsis.com/archives/vendor/2001-q2/0009.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f2f0892c" ); script_set_attribute( attribute:"solution", value:"Upgrade to cfingerd version 1.4.4 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2001/04/16"); script_set_attribute(attribute:"vuln_publication_date", value: "1996/09/19"); script_cvs_date("Date: 2018/11/15 20:50:23"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2001-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencie("find_service1.nasl", "cfinger_version.nasl"); script_require_keys("cfingerd/version"); exit(0); } # # The script code starts here # port = get_kb_item("Services/finger"); if(!port)port = 79; version = get_kb_item("cfingerd/version"); if(version) { if(ereg(pattern:"[0-1]\.(([0-3]\.[0-9]*)|(4\.[0-3]))", string:version))security_hole(port); }
References
- http://archives.neohapsis.com/archives/bugtraq/2001-04/0202.html
- http://archives.neohapsis.com/archives/bugtraq/2001-04/0202.html
- http://www.securityfocus.com/bid/2576
- http://www.securityfocus.com/bid/2576
- https://exchange.xforce.ibmcloud.com/vulnerabilities/6364
- https://exchange.xforce.ibmcloud.com/vulnerabilities/6364