The try_fingerd Routine

Probably the most impressive hack of the Worm is its use of a minor bug in the UNIX fingerd function to propagate itself. Finger itself is such a simple program that many system administrators didn't believe the report that told them that the routine was one of the routes of infection.

Fingerd reads in an argument string, sends the argument to the target machine, and then returns a response. Quite trivial. However, the function uses the C command gets() to receive this input. In a trivial oversight by the writers of fingerd, the function has no protection against overwriting the buffer into which it reads the argument string.
The Worm takes advantage of this and calls fingerd with a 536 character argument. This overwrites the 512 character buffer of the fingerd function. The additional 24 characters end up overwriting the system stack, which controls what functions are called next opening up command interpreter which the worm then uses to pull itself the target system.

If the attempt fails, control returns to infect, which then calls the try_sendmail routine.

Return to the main Worm page.