Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.FINGER_REDIRECTION.NASL
HistoryJun 22, 1999 - 12:00 a.m.

Finger Recursive Request Arbitrary Site Redirection

1999-06-2200:00:00
This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
www.tenable.com
170
JSON

The remote finger service accepts redirect requests. That is, users can perform requests like :

	finger user@host@victim

This allows an attacker to use this computer as a relay to gather information on a third-party network. In addition, this type of syntax can be used to create a denial of service condition on the remote host.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(10073);
 script_version("1.34");
 script_cvs_date("Date: 2018/08/10 18:07:07");

 script_cve_id("CVE-1999-0105", "CVE-1999-0106");

 script_name(english:"Finger Recursive Request Arbitrary Site Redirection");
 script_summary(english:"Finger user@host1@host2");
 
 script_set_attribute(attribute:"synopsis", value:
"It is possible to use the remote host to perform third-party host
scans.");
 script_set_attribute(attribute:"description", value:
"The remote finger service accepts redirect requests.  That is, users
can perform requests like :

		finger user@host@victim

This allows an attacker to use this computer as a relay to gather
information on a third-party network.  In addition, this type of
syntax can be used to create a denial of service condition on the
remote host.");
 script_set_attribute(attribute:"solution", value:
"Disable the remote finger daemon (comment out the 'finger' line in
/etc/inetd.conf and restart the inetd process) or upgrade it to a more
secure one." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");

 script_set_attribute(attribute:"plugin_publication_date", value:"1999/06/22");
 script_set_attribute(attribute:"vuln_publication_date", value:"1992/10/28");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();
 
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
 script_family(english:"Misc.");

 script_dependencies("find_service1.nasl", "finger.nasl");
 script_require_ports("Services/finger", 79);
 exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");


port = get_service(svc:"finger", default:79, exit_on_fail:TRUE);

soc = open_sock_tcp(port);
if (!soc) exit(1, "Failed to open a socket on port "+port+".");

# cisco
data = recv(socket:soc, length:2048, timeout:5);
if (data) exit(0, "The service listening on port "+port+" sent a spontaneous header.");
  
buf = string("root@", get_host_name(), "\r\n");
send(socket:soc, data:buf);
data = recv(socket:soc, length:65535);
close(soc);

if (!strlen(data)) exit(0, "The service listening on port "+port+" did not respond.");

data_low = tolower(data);
  
if (
  !("such user" >< data_low) && 
  !("doesn't exist" >< data_low) && 
  !("???" >< data_low) &&
  !("welcome to" >< data_low) && 
  !("forward" >< data_low) &&
  !("http/1.1 400 " >< data_low)
)
{
  set_kb_item(name:"finger/user@host1@host2", value:TRUE);
  security_warning(port);
}

Related

cve 2
openvas 1
cve
cve
CVE-1999-0106
1997-03-01 05:00:00
CVE-1999-0105
1997-03-01 05:00:00
openvas
openvas
Finger Redirection Remote Denial of Service Vulnerability
2011-08-10 00:00:00
JSON
Related for FINGER_REDIRECTION.NASL
cve2openvas1