Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: ffing-1.htm

Ffingerd bug can be exploited to determine the existence of a specified username



Vulnerability

    ffingerd

Affected

    Systems running ffingerd

Description

    Eilon  Gishri  found  following.   He  found  a  couple of bugs in
    ffingerd 1.19  which are  related to  privacy.   The permission on
    root's home directory are now 700 (/home/root):

	(aristo)/cc/eilon>finger root@host.domain
	[host.domain]
	Login: root                            Name: #6

	No project.
	No plan.
	No public key.

    A lesson in how not to  be seen. On host.domain, the user  doesn't
    want to be  seen.  Too  bad, his/her home  directory's permissions
    (which says 'I want some privacy') makes ffingerd state otherwise.
    Ffingerd looks for the file .nofinger in the user's home directory
    but due to  the current state  of permissions on  it, it can't  be
    accessed thus "there is  no such file" and  there for is happy  to
    supply us with the user's information.

	# cd ~root
	# ls -l .nofinger
	-rw-r--r--   1 root     system         0 Apr 23 18:01 .nofinger
	# ls -ld .
	drwx------   5 root     system       512 Apr 23 18:01 .
	# chmod 755 .

    Now lets try again.

	(aristo)/cc/eilon>finger root@host.domain
	[host.domain]
	That user does not want to be fingered

    Hmmm, now for an unknown user.

	(aristo)/cc/eilon>finger root1@host.domain
	[host.domain]
	That user does not want to be fingered.

    Oops. Notice the  dot ('.') at  the end of  the sentence.   A very
    simple and efficient  way to find  whether the user  exists on the
    remote host or not (taking into account the fact that ffingerd has
    been installed on the remote host).

Solution

    This is documented in ffingerd.  If you want ffingerd to look into
    protected homes, run it  as root.  Second  bug has been fixed  and
    announced  version  1.20  on  Freshmeat  pointing  out  this fixed
    problem.   Dagmar d'Surreal  posted following  patch.   Below is a
    patch which applies to the  1.20 version of Fefe's Finger  Daemon,
    which includes both Eilon  Gishri's patches to deal  with paranoid
    users whose home directories are mode 700 (the punctuation problem
    had  already  been  fixed  in  1.20), and his misdirection patches
    that add the .fakefinger (lets users controly exactly what will be
    returned   when   they   are   fingered)   file   use,   and   the
    /etc/ffingerd.empty and  /etc/ffingerd.indirect files  which allow
    a sysadmin to change what kind  of message is sent to people  when
    they try indirect or empty  finger queries without having to  edit
    the source and recompile the daemon.

    ---
    Content-Type: application/octet-stream; name="ffingerd.20p"
    Content-Transfer-Encoding: base64
    Content-Disposition: inline; filename="ffingerd.20p"
    Content-MD5: 88RL3tW4HYA235zCOmrcWA==

    H4sICLTAIDcCA2ZmaW5nZXJkLTEuMjBwMi5wYXRjaACdVm1z0zgQ/ox/xU5ujrQ4ceOkpSRQ
    Jr3SltxwaacpwzCU6Si2XOtqW0aSyWWA++23KzuvJBSuHxprZe3L8zy7ciiiCJqFGkIUieyO
    q7Dpe+3W3vD03WjVlLet0Wk2mxvefXSmBBznCtodaB322u3evg9+t9t1XNfd6Gj5hN/p7Xd6
    /tPyRL8PTb/RAddvdKHfd1w85UOkZAp03nEBTkUiMzgXOkYnLzit+kwJbaRnWOGxwBPJS1A8
    l8rwEBjkSo4TngKwLIScmSCGSCpylTPFMilCKDRXGibCxBDLlEMoFA+MVIJrSGXI4bDVgjHH
    SqDIGHoDI+kQmJiTIy+TZZkQiYR7AK/YXcoUhPVRoRRnCbwIraUf6tLgSXX3ElgYYoozJxG7
    55UbSnWGnMfT3Ez35kuRlemBzI2QmfYc17HozHDyuw4AXGMlTMNrNuZGwwtjl/3YLr089zRf
    QclMcwkio2TmkckNV0oqSLnW7A7RmMRccXw9FVoTHKE0MJFFEoIuxiaZwp34jPsTNgUR4XuE
    rBNuUdq8pGffyWSxtUF1i81H13EBf7IMoAttv3ew3/NbpKTDjdpbOreqwM7BigL3/YaPGsQf
    FB+qEDyd478schBVZmxRWDnCkVH5LDOkhzECZ/3z0HG90Wv4azB6Nbg6PbkeXAwd91IJFIBA
    iFB9wDPDlWEiS/EJPrOk4I1KhilixxItIS8MIrgsC1IXkuS4yJJQVqsNqxWBFAcSfWaGdJwk
    lI2O5SSjzIhTxVNpeJk60pwnLOAgo1J8hS5QoyLDzFJGovJIP+hhqg12DgtTkWGHKWZIC7P8
    gphhVtb7XB8aM3BcDEDSyrRtlLlgKVMrZpjJ3BhaaxhPIcC2MCQpKhKRZSnhuMdNsLfaCdbN
    qn0WoUxb88rHTTRIC21uoiuEw3ExQGibF6Mty5xynEh17wGSjLydDd6cjvDx8tJp/rs37+0G
    4AJxy8oHJf/GiOVzMb7nU8ddf3nB3ENnG1sKWrdbAMos/3h7jkm+i3m2KERoUEWWEYqMxDmW
    YQkXW9NszLBLseYEe5z/w4MCpZFzZbsap6vmxqo0RoelyMxKnAA7jtwEMQ/uaSbgtnKaZt4c
    MYZnhP8cECLByteUE4SS0rpA4aB462VWdssjdf+Sn5neMeOAWzZLz+gYpahnbi1qx2+vX19c
    UTOzsqMfnE3B9jES/Gg2BWv3ot/tdbrb78XN53A2tQ56+92l27Gz3zjE+9H+0GwCYutOhDv5
    JGy+zCe3+Lz7vLIXS/Zibs+VyEy0QzBSmzVqv2MOLb1Qb60xO4QyxENNoGm+k2jDzOLYY1re
    jotodxe+0A1G72x/CY6OMP1dePwYdvBWySQZTocXp8Nr6wB+E1EW8giGF7ej96M3F+fWRJaz
    49HJYHR9i7bzwfCcigAaP/OL6cOB3/74vATooAQIf55VAAGERZrfUk5LRV8W40QEgN3XqzVq
    Q5q3M4NXK5H6BjzBafJla8Am2XFO653az90M1rMLP2RhMTbWeXC31YIF/EL8TUgvp1TV2KhV
    85l8VBP7psryplZ+bVSrbJGpTai8bUoQga6RRN7tYJzbs+OTwZvB9XusVtcaVaDdkrm2/5SY
    a/uHc2nT3xjn9n3l6Vv5Q0L7VHA1/YAAfCQd1ft10lCzPFIyMpJK4WSd4PectHjoIqfvncWF
    VBVFrvBTb8HNMsi1zZO5ZkH/XyG2wb+BgHU3M0KQ6hL5dRYsKo2rFfh/noBOyxLQ8ecEENJP
    PuVGHR3V9+q2d5/s0Nr1d9H0rg5fv8KyZVLHZrbLo/bzdQ9Qr/bc9a3WnL0HuFv5fviOuK20
    2WMPcLbV9U/3y6aPm4ohy87Vr7bFf8DAXnmkDQAA

    -----


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH