13th Oct 2000 [SBWID-82]
COMMAND
fingerd
SYSTEMS AFFECTED
FreeBSD 4.1.1-RELEASE i386
PROBLEM
Przemyslaw Frasunek found following. If finger takes full path
name as user name, it prints out contents of that file. Because
fingerd executes finger as local information provider, finger
/path/to/[email protected] prints /path/to/file at some.host.
finger /path/to/[email protected]
Shortly before the release of FreeBSD 4.1.1, code was added to
finger(1) intended to allow the utility to send the contents of
administrator-specified files in response to a finger request.
However the code incorrectly allowed users to specify a filename
directly, the contents of which would be returned to the user.
The finger daemon usually runs as user 'nobody' and invokes the
finger(1) command in response to a remote request, meaning it
does not have access to privileged files on the system (such as
the hashed password file /etc/master.passwd), however the
vulnerability may be used to read arbitrary files to which the
'nobody' user has read permission. This may disclose internal
information including information which may be used to mount
further attacks against the system.
Note that servers running web and other services often incorrectly
run these as the 'nobody' user, meaning this vulnerability may be
used to read internal web server data such as web server password
files, the source code to cgi-bin scripts, etc.
SOLUTION
Disable the finger protocol in /etc/inetd.conf: make sure the
/etc/inetd.conf file does not contain the following entry
uncommented (i.e. if present in the inetd.conf file it should be
commented out as shown below):
#finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s
On IPv6-connected systems, be sure to disable the IPv6 instance
of the finger daemon as well:
#finger stream tcp6 nowait/3/10 nobody /usr/libexec/fingerd fingerd -s
Solution is one of the following:
1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE dated
after the correction date.
2) Apply the patch below and rebuild your fingerd binary.
Index: finger.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/finger/finger.c,v
retrieving revision 1.15.2.3
retrieving revision 1.21
diff -u -r1.15.2.3 -r1.21
--- finger.c 2000/09/15 21:51:00 1.15.2.3
+++ finger.c 2000/10/05 15:56:13 1.21
@@ -293,6 +293,16 @@
goto net;
/*
+ * Mark any arguments beginning with '/' as invalid so that we
+ * don't accidently confuse them with expansions from finger.conf
+ */
+ for (p = argv, ip = used; *p; ++p, ++ip)
+ if (**p == '/') {
+ *ip = 1;
+ warnx("%s: no such user", *p);
+ }
+
+ /*
* Traverse the finger alias configuration file of the form
* alias:(user|alias), ignoring comment lines beginning '#'.
*/
@@ -323,11 +333,11 @@
* gathering the traditional finger information.
*/
if (mflag)
- for (p = argv; *p; ++p) {
- if (**p != '/' || !show_text("", *p, "")) {
+ for (p = argv, ip = used; *p; ++p, ++ip) {
+ if (**p != '/' || *ip == 1 || !show_text("", *p, "")) {
if (((pw = getpwnam(*p)) != NULL) && !hide(pw))
enter_person(pw);
- else
+ else if (!*ip)
warnx("%s: no such user", *p);
}
}
Problem persists only in 4.x branch. Of course, it allows also
to traverse directory structures. This has been corrected in
2000-10-05 (4.1.1-STABLE).
FreeBSD 4.1-RELEASE, 4.0-RELEASE, 3.5.1-RELEASE and FreeBSD
4.1-STABLE systems dated before 2000-09-01 or after 2000-10-05
are unaffected by this vulnerability.