ffingerd.txt

`Date: Fri, 23 Apr 1999 19:26:13 +0300  
From: Eilon Gishri <[email protected]>  
To: [email protected]  
Subject: Ffingerd privacy issues  
  
Hi,  
I found a couple of bugs in ffingerd 1.19 which are related to  
privacy.  
  
Here goes:  
  
The permission on root's home directory are now 700 (/home/root).  
  
-----  
(aristo)/cc/eilon>finger [email protected]  
[host.domain]  
Login: root Name: #6  
  
No project.  
No plan.  
No public key.  
-----  
  
A lesson in how not to be seen. On host.domain, the user doesn't want  
to be seen (please stand up :)). Too bad, his/her home directory's  
permissions (which says 'I want some privacy') makes ffingerd state  
otherwise. Ffingerd looks for the file .nofinger in the user's home  
directory but due to the current state of permissions on it, it can't  
be accessed thus "there is no such file" and there for is happy to  
supply us with the user's information.  
  
-----  
# cd ~root  
# ls -l .nofinger  
-rw-r--r-- 1 root system 0 Apr 23 18:01 .nofinger  
# ls -ld .  
drwx------ 5 root system 512 Apr 23 18:01 .  
# chmod 755 .  
-----  
  
Now lets try again.  
  
-----  
(aristo)/cc/eilon>finger [email protected]  
[host.domain]  
That user does not want to be fingered  
-----  
  
Hmmm, now for an unknown user.  
  
-----  
(aristo)/cc/eilon>finger [email protected]  
[host.domain]  
That user does not want to be fingered.  
-----  
  
Oops. Notice the dot ('.') at the end of the sentence. A very simple  
and efficient way to find whether the user exists on the remote host  
or not (taking into account the fact that ffingerd has been installed  
on the remote host).  
  
Attached here a patch to fix those problems.  
  
--   
Eilon Gishri [email protected]  
Security Consultant Office: +972-3-6406723  
Israel Inter University Computation Center Fax: +972-3-6409118  
/* On a matter of national security */ Home: +972-3-5078671  
  
[ Part 1.2, Text/PLAIN 20 lines. ]  
  
--- ffingerd.c.old Thu Feb 18 12:50:36 1999  
+++ ffingerd.c Fri Apr 23 18:48:54 1999  
@@ -134,7 +134,7 @@  
setgid(pwd->pw_gid);  
setuid(pwd->pw_uid);  
sprintf(filename,"%.200s/.nofinger",pwd->pw_dir);  
- if (lstat(filename,&stat_buf)) {  
+ if((lstat(filename,&stat_buf) == -1) && (errno == ENOENT)) {  
#ifndef NO_SYSLOG  
#ifdef FASCIST_LOGGING  
char message[512];  
@@ -154,7 +154,7 @@  
dump_file(filename,"Public key:","No public key.");  
} else {  
char message[512];  
- puts("That user does not want to be fingered");  
+ puts("That user does not want to be fingered.");  
#ifndef NO_SYSLOG  
sprintf(message,"attempt to finger \"%.200s\" from %.200s\n",pwd->pw_name,remote);  
syslog(LOG_FACILITY,"%s",message);  
  
------------------------------------------------------------------------------  
  
Date: Fri, 23 Apr 1999 19:43:33 +0200  
From: Felix von Leitner <[email protected]>  
To: [email protected]  
Subject: Re: Ffingerd privacy issues  
  
Thus spake Eilon Gishri ([email protected]):  
> I found a couple of bugs in ffingerd 1.19 which are related to  
> privacy.  
  
OK. I would be happy if you email me (the author) first before  
publishing this on bugtraq. Next time, maybe.  
  
[ffingerd assumes the user wants to be fingered if his home does not  
give public execute access]  
  
This is documented in ffingerd. If you want ffingerd to look into  
protected homes, run it as root.  
  
> -----  
> (aristo)/cc/eilon>finger [email protected]  
> [host.domain]  
> That user does not want to be fingered  
> -----  
  
> Hmmm, now for an unknown user.  
  
> -----  
> (aristo)/cc/eilon>finger [email protected]  
> [host.domain]  
> That user does not want to be fingered.  
> -----  
  
> Oops. Notice the dot ('.') at the end of the sentence. A very simple  
> and efficient way to find whether the user exists on the remote host  
> or not (taking into account the fact that ffingerd has been installed  
> on the remote host).  
  
This has been pointed out to me yesterday. I fixed it today (before I  
saw this message, by the way), and announced version 1.20 on Freshmeat  
pointing out this fixed problem. Did you see my announcement and then  
posted to bugtraq?  
  
> --- ffingerd.c.old Thu Feb 18 12:50:36 1999  
> +++ ffingerd.c Fri Apr 23 18:48:54 1999  
> @@ -134,7 +134,7 @@  
> setgid(pwd->pw_gid);  
> setuid(pwd->pw_uid);  
> sprintf(filename,"%.200s/.nofinger",pwd->pw_dir);  
> - if (lstat(filename,&stat_buf)) {  
> + if((lstat(filename,&stat_buf) == -1) && (errno == ENOENT)) {  
> #ifndef NO_SYSLOG  
> #ifdef FASCIST_LOGGING  
> char message[512];  
  
This is debatable.  
If a user wants privacy, he should remove the world readable permission,  
not the world executable permission.  
  
I will not add this right now but think it over. If anyone wants to  
comment on the way to go here, feel free to email me. I would prefer  
discussion this in private email than on bugtraq, but if you must, I  
will also read bugtraq comments.  
  
> @@ -154,7 +154,7 @@  
> dump_file(filename,"Public key:","No public key.");  
> } else {  
> char message[512];  
> - puts("That user does not want to be fingered");  
> + puts("That user does not want to be fingered.");  
> #ifndef NO_SYSLOG  
> sprintf(message,"attempt to finger \"%.200s\" from %.200s\n",pwd->pw_name,remote);  
> syslog(LOG_FACILITY,"%s",message);  
  
This has already been fixed.  
  
Felix  
  
------------------------------------------------------------------------------  
  
Date: Fri, 23 Apr 1999 22:00:08 +0300  
From: Eilon Gishri <[email protected]>  
To: [email protected]  
Subject: Re: Ffingerd privacy issues  
  
On Fri, Apr 23, 1999 at 07:43:33PM +0200, Felix von Leitner wrote:  
> Thus spake Eilon Gishri ([email protected]):  
> > I found a couple of bugs in ffingerd 1.19 which are related to  
> > privacy.  
>  
> OK. I would be happy if you email me (the author) first before  
> publishing this on bugtraq. Next time, maybe.  
  
I've e-mailed you and Cc-ed BugTraq. As my email includes a fix (A  
very complicated one I must say :)) I also notified the list. I'm  
not sure I would have done the same if I couldn't fix it myself.  
  
> [ffingerd assumes the user wants to be fingered if his home does not  
> give public execute access]  
  
Huh, It's opened if it's closed ?  
  
> This is documented in ffingerd. If you want ffingerd to look into  
> protected homes, run it as root.  
  
I want the machine itself to be protected and not only the users home  
directory. I consider it a feature when I don't have to run fingerd  
as root. Please don't consider it as a flame, I do like this utility  
and am using it.  
  
> > -----  
> > (aristo)/cc/eilon>finger [email protected]  
> > [host.domain]  
> > That user does not want to be fingered  
> > -----  
>  
> > Hmmm, now for an unknown user.  
>  
> > -----  
> > (aristo)/cc/eilon>finger [email protected]  
> > [host.domain]  
> > That user does not want to be fingered.  
> > -----  
>  
> > Oops. Notice the dot ('.') at the end of the sentence. A very simple  
> > and efficient way to find whether the user exists on the remote host  
> > or not (taking into account the fact that ffingerd has been installed  
> > on the remote host).  
>  
> This has been pointed out to me yesterday. I fixed it today (before I  
> saw this message, by the way), and announced version 1.20 on Freshmeat  
> pointing out this fixed problem. Did you see my announcement and then  
> posted to bugtraq?  
  
Nope. I was playing with it on a machine which I would like to see all  
fingers which are done to it without giving away any "free" information  
  
> This is debatable.  
> If a user wants privacy, he should remove the world readable permission,  
> not the world executable permission.  
  
I disagree.  
  
> I will not add this right now but think it over. If anyone wants to  
> comment on the way to go here, feel free to email me. I would prefer  
> discussion this in private email than on bugtraq, but if you must, I  
> will also read bugtraq comments.  
  
  
  
--  
Eilon Gishri [email protected]  
Security Consultant Office: +972-3-6406723  
Israel Inter University Computation Center Fax: +972-3-6409118  
/* On a matter of national security */ Home: +972-3-5078671  
  
------------------------------------------------------------------------------  
  
Date: Fri, 23 Apr 1999 15:46:59 -0500  
From: Dagmar d'Surreal <[email protected]>  
To: [email protected]  
Subject: Re: Ffingerd privacy issues  
Parts/Attachments:  
1 Shown 36 lines Text  
2 OK 1.4 KB Application, ""  
----------------------------------------  
  
As to the matter of the home directories being  
world-readable/executeable...  
  
Having the finger daemon assume that there is no .nofinger file because  
the home directory in question is not readable, but still executeable,  
breaks a few things. On multi-user machines, some users will be extremely  
paranoid, and will not wish to use anything BUT mode 700, because having  
the directory world-executeable will allow other users on the system to  
detect the presence of certain files in their directory (like .rhosts,  
.forward, .promcail, .pinerc) that may allow them to launch attacks at  
that particular user, knowing that there's a good chance that the user  
uses a vulnerable package, and quite possibly even the last time they used  
it depending on the file.  
  
After seeing the post on freshmeat, it occurred to me that I had forgotten  
to email Felix the patch for 1.18 that took care of the punctuation as  
well as a few other issues, and I now notice that I sent him the wrong  
version of the patch this morning anyway. (A version which did not have  
the directory mode issue fixed, but at least my binary has been working  
all this time thankfully.) Eilon Gishri dealt with it a lot more  
elegantly than I did anyway. ;)  
  
Attached is a patch which applies to the 1.20 version of Fefe's Finger  
Daemon, which includes both Eilon Gishri's patches to deal with paranoid  
users whose home directories are mode 700 (the punctuation problem had  
already been fixed in 1.20), and my misdirection patches that  
add the .fakefinger (lets users controly exactly what will be returned  
when they are fingered) file use, and the /etc/ffingerd.empty and  
/etc/ffingerd.indirect files which allow a sysadmin to change what kind of  
message is sent to people when they try indirect or empty finger queries  
without having to edit the source and recompile the daemon.  
  
----------  
Unsolicited commercial email sent to this address will be forwarded to  
[email protected], or responded to late in the evening after I've been clubbing  
long enough to be fairly drunk, and at least twice as verbally abusive.  
  
`