Advisories : fingerd allows remote reading of filesystem

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : fingerd allows remote reading of filesystem

Title:	fingerd allows remote reading of filesystem
Released by:	FreeBSD
Date:	13th October 2000
Printable version:	Click here

-----BEGIN PGP SIGNED MESSAGE-----



=============================================================================

FreeBSD-SA-00:54                                           Security Advisory

                                                                FreeBSD, Inc.



Topic:          fingerd allows remote reading of filesystem



Category:       core

Module:         fingerd

Announced:      2000-10-13

Credits:        NIIMI Satoshi 

Affects:        FreeBSD 4.1.1-RELEASE

Corrected:      2000-10-05 (4.1.1-STABLE)

FreeBSD only:   Yes



I.   Background



The finger service is used to provide information about users on the

system to remote clients.



II.  Problem Description



Shortly before the release of FreeBSD 4.1.1, code was added to

finger(1) intended to allow the utility to send the contents of

administrator-specified files in response to a finger request. However

the code incorrectly allowed users to specify a filename directly, the

contents of which would be returned to the user.



The finger daemon usually runs as user 'nobody' and invokes the

finger(1) command in response to a remote request, meaning it does not

have access to privileged files on the system (such as the hashed

password file /etc/master.passwd), however the vulnerability may be

used to read arbitrary files to which the 'nobody' user has read

permission. This may disclose internal information including

information which may be used to mount further attacks against the

system.



Note that servers running web and other services often incorrectly run

these as the 'nobody' user, meaning this vulnerability may be used to

read internal web server data such as web server password files, the

source code to cgi-bin scripts, etc.



FreeBSD 4.1-RELEASE, 4.0-RELEASE, 3.5.1-RELEASE and FreeBSD 4.1-STABLE

systems dated before 2000-09-01 or after 2000-10-05 are unaffected by

this vulnerability.



III. Impact



Remote users can obtain read access (as the 'nobody' user) to large

parts of the local filesystem on systems running a vulnerable

fingerd. This may disclose confidential information and may facilitate

further attacks on the system.



IV.  Workaround



Disable the finger protocol in /etc/inetd.conf: make sure the

/etc/inetd.conf file does not contain the following entry

uncommented (i.e. if present in the inetd.conf file it should be

commented out as shown below:)



#finger  stream  tcp     nowait/3/10 nobody /usr/libexec/fingerd fingerd -s



On IPv6-connected systems, be sure to disable the IPv6 instance of the

finger daemon as well:



#finger stream  tcp6    nowait/3/10 nobody /usr/libexec/fingerd fingerd -s



V.   Solution



One of the following:



1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE dated after

the correction date.



2) Apply the patch below and rebuild your fingerd binary.



Either save this advisory to a file, or download the patch and

detached PGP signature from the following locations, and verify the

signature using your PGP utility.



http://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:54/fingerd.patch

http://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:54/fingerd.patch.asc



# cd /usr/src/usr.bin/finger

# patch -p < /path/to/patch_or_advisory

# make all install

# cd /usr/src/libexec/fingerd

# make all install



Patch for vulnerable 4.1.x systems:



    Index: finger.c

    ===================================================================

    RCS file: /home/ncvs/src/usr.bin/finger/finger.c,v

    retrieving revision 1.15.2.3

    retrieving revision 1.21

    diff -u -r1.15.2.3 -r1.21

    --- finger.c 2000/09/15 21:51:00 1.15.2.3

    +++ finger.c 2000/10/05 15:56:13 1.21

    @@ -293,6 +293,16 @@

     goto net;



     /*

    + * Mark any arguments beginning with '/' as invalid so that we

    + * don't accidently confuse them with expansions from finger.conf

    + */

    + for (p = argv, ip = used; *p; ++p, ++ip)

    +     if (**p == '/') {

    + *ip = 1;

    + warnx("%s: no such user", *p);

    +     }

    +

    + /*

     * Traverse the finger alias configuration file of the form

     * alias:(user|alias), ignoring comment lines beginning '#'.

     */

    @@ -323,11 +333,11 @@

     * gathering the traditional finger information.

     */

     if (mflag)

    - for (p = argv; *p; ++p) {

    - if (**p != '/' || !show_text("", *p, "")) {

    + for (p = argv, ip = used; *p; ++p, ++ip) {

    + if (**p != '/' || *ip == 1 || !show_text("", *p, "")) {

     if (((pw = getpwnam(*p)) != NULL) && !hide(pw))

     enter_person(pw);

    -    else

    + else if (!*ip)

     warnx("%s: no such user", *p);

     }

     }



-----BEGIN PGP SIGNATURE-----

Version: 2.6.2



iQCVAwUBOebB4FUuHi5z0oilAQEE1AP+I7zDBn5TagYJEELea7ltGkNZ5h3nZi5E

FwxqYekriycAzOqctwzu7lO2AO7KoPTzAfu4OCd+s+ijK+zpXkt+eOAttbhPwENJ

RMAJPwcGr139mIT2ofuEUhtE9NZ66gg7WNh+8ixjtovKbZl1W/slX+wOqlaCcbLm

U4t3bj6bx5M=

=fg83

-----END PGP SIGNATURE-----