Lucene search
Packet StormPACKETSTORM:12008HistoryAug 17, 1999 - 12:00 a.m.
ffingerd.txt
1999-08-1700:00:00
Packet Storm
packetstormsecurity.com
26
`Date: Fri, 23 Apr 1999 19:26:13 +0300
From: Eilon Gishri <[email protected]>
To: [email protected]
Subject: Ffingerd privacy issues
Hi,
I found a couple of bugs in ffingerd 1.19 which are related to
privacy.
Here goes:
The permission on root's home directory are now 700 (/home/root).
-----
(aristo)/cc/eilon>finger [email protected]
[host.domain]
Login: root Name: #6
No project.
No plan.
No public key.
-----
A lesson in how not to be seen. On host.domain, the user doesn't want
to be seen (please stand up :)). Too bad, his/her home directory's
permissions (which says 'I want some privacy') makes ffingerd state
otherwise. Ffingerd looks for the file .nofinger in the user's home
directory but due to the current state of permissions on it, it can't
be accessed thus "there is no such file" and there for is happy to
supply us with the user's information.
-----
# cd ~root
# ls -l .nofinger
-rw-r--r-- 1 root system 0 Apr 23 18:01 .nofinger
# ls -ld .
drwx------ 5 root system 512 Apr 23 18:01 .
# chmod 755 .
-----
Now lets try again.
-----
(aristo)/cc/eilon>finger [email protected]
[host.domain]
That user does not want to be fingered
-----
Hmmm, now for an unknown user.
-----
(aristo)/cc/eilon>finger [email protected]
[host.domain]
That user does not want to be fingered.
-----
Oops. Notice the dot ('.') at the end of the sentence. A very simple
and efficient way to find whether the user exists on the remote host
or not (taking into account the fact that ffingerd has been installed
on the remote host).
Attached here a patch to fix those problems.
--
Eilon Gishri [email protected]
Security Consultant Office: +972-3-6406723
Israel Inter University Computation Center Fax: +972-3-6409118
/* On a matter of national security */ Home: +972-3-5078671
[ Part 1.2, Text/PLAIN 20 lines. ]
--- ffingerd.c.old Thu Feb 18 12:50:36 1999
+++ ffingerd.c Fri Apr 23 18:48:54 1999
@@ -134,7 +134,7 @@
setgid(pwd->pw_gid);
setuid(pwd->pw_uid);
sprintf(filename,"%.200s/.nofinger",pwd->pw_dir);
- if (lstat(filename,&stat_buf)) {
+ if((lstat(filename,&stat_buf) == -1) && (errno == ENOENT)) {
#ifndef NO_SYSLOG
#ifdef FASCIST_LOGGING
char message[512];
@@ -154,7 +154,7 @@
dump_file(filename,"Public key:","No public key.");
} else {
char message[512];
- puts("That user does not want to be fingered");
+ puts("That user does not want to be fingered.");
#ifndef NO_SYSLOG
sprintf(message,"attempt to finger \"%.200s\" from %.200s\n",pwd->pw_name,remote);
syslog(LOG_FACILITY,"%s",message);
------------------------------------------------------------------------------
Date: Fri, 23 Apr 1999 19:43:33 +0200
From: Felix von Leitner <[email protected]>
To: [email protected]
Subject: Re: Ffingerd privacy issues
Thus spake Eilon Gishri ([email protected]):
> I found a couple of bugs in ffingerd 1.19 which are related to
> privacy.
OK. I would be happy if you email me (the author) first before
publishing this on bugtraq. Next time, maybe.
[ffingerd assumes the user wants to be fingered if his home does not
give public execute access]
This is documented in ffingerd. If you want ffingerd to look into
protected homes, run it as root.
> -----
> (aristo)/cc/eilon>finger [email protected]
> [host.domain]
> That user does not want to be fingered
> -----
> Hmmm, now for an unknown user.
> -----
> (aristo)/cc/eilon>finger [email protected]
> [host.domain]
> That user does not want to be fingered.
> -----
> Oops. Notice the dot ('.') at the end of the sentence. A very simple
> and efficient way to find whether the user exists on the remote host
> or not (taking into account the fact that ffingerd has been installed
> on the remote host).
This has been pointed out to me yesterday. I fixed it today (before I
saw this message, by the way), and announced version 1.20 on Freshmeat
pointing out this fixed problem. Did you see my announcement and then
posted to bugtraq?
> --- ffingerd.c.old Thu Feb 18 12:50:36 1999
> +++ ffingerd.c Fri Apr 23 18:48:54 1999
> @@ -134,7 +134,7 @@
> setgid(pwd->pw_gid);
> setuid(pwd->pw_uid);
> sprintf(filename,"%.200s/.nofinger",pwd->pw_dir);
> - if (lstat(filename,&stat_buf)) {
> + if((lstat(filename,&stat_buf) == -1) && (errno == ENOENT)) {
> #ifndef NO_SYSLOG
> #ifdef FASCIST_LOGGING
> char message[512];
This is debatable.
If a user wants privacy, he should remove the world readable permission,
not the world executable permission.
I will not add this right now but think it over. If anyone wants to
comment on the way to go here, feel free to email me. I would prefer
discussion this in private email than on bugtraq, but if you must, I
will also read bugtraq comments.
> @@ -154,7 +154,7 @@
> dump_file(filename,"Public key:","No public key.");
> } else {
> char message[512];
> - puts("That user does not want to be fingered");
> + puts("That user does not want to be fingered.");
> #ifndef NO_SYSLOG
> sprintf(message,"attempt to finger \"%.200s\" from %.200s\n",pwd->pw_name,remote);
> syslog(LOG_FACILITY,"%s",message);
This has already been fixed.
Felix
------------------------------------------------------------------------------
Date: Fri, 23 Apr 1999 22:00:08 +0300
From: Eilon Gishri <[email protected]>
To: [email protected]
Subject: Re: Ffingerd privacy issues
On Fri, Apr 23, 1999 at 07:43:33PM +0200, Felix von Leitner wrote:
> Thus spake Eilon Gishri ([email protected]):
> > I found a couple of bugs in ffingerd 1.19 which are related to
> > privacy.
>
> OK. I would be happy if you email me (the author) first before
> publishing this on bugtraq. Next time, maybe.
I've e-mailed you and Cc-ed BugTraq. As my email includes a fix (A
very complicated one I must say :)) I also notified the list. I'm
not sure I would have done the same if I couldn't fix it myself.
> [ffingerd assumes the user wants to be fingered if his home does not
> give public execute access]
Huh, It's opened if it's closed ?
> This is documented in ffingerd. If you want ffingerd to look into
> protected homes, run it as root.
I want the machine itself to be protected and not only the users home
directory. I consider it a feature when I don't have to run fingerd
as root. Please don't consider it as a flame, I do like this utility
and am using it.
> > -----
> > (aristo)/cc/eilon>finger [email protected]
> > [host.domain]
> > That user does not want to be fingered
> > -----
>
> > Hmmm, now for an unknown user.
>
> > -----
> > (aristo)/cc/eilon>finger [email protected]
> > [host.domain]
> > That user does not want to be fingered.
> > -----
>
> > Oops. Notice the dot ('.') at the end of the sentence. A very simple
> > and efficient way to find whether the user exists on the remote host
> > or not (taking into account the fact that ffingerd has been installed
> > on the remote host).
>
> This has been pointed out to me yesterday. I fixed it today (before I
> saw this message, by the way), and announced version 1.20 on Freshmeat
> pointing out this fixed problem. Did you see my announcement and then
> posted to bugtraq?
Nope. I was playing with it on a machine which I would like to see all
fingers which are done to it without giving away any "free" information
> This is debatable.
> If a user wants privacy, he should remove the world readable permission,
> not the world executable permission.
I disagree.
> I will not add this right now but think it over. If anyone wants to
> comment on the way to go here, feel free to email me. I would prefer
> discussion this in private email than on bugtraq, but if you must, I
> will also read bugtraq comments.
--
Eilon Gishri [email protected]
Security Consultant Office: +972-3-6406723
Israel Inter University Computation Center Fax: +972-3-6409118
/* On a matter of national security */ Home: +972-3-5078671
------------------------------------------------------------------------------
Date: Fri, 23 Apr 1999 15:46:59 -0500
From: Dagmar d'Surreal <[email protected]>
To: [email protected]
Subject: Re: Ffingerd privacy issues
Parts/Attachments:
1 Shown 36 lines Text
2 OK 1.4 KB Application, ""
----------------------------------------
As to the matter of the home directories being
world-readable/executeable...
Having the finger daemon assume that there is no .nofinger file because
the home directory in question is not readable, but still executeable,
breaks a few things. On multi-user machines, some users will be extremely
paranoid, and will not wish to use anything BUT mode 700, because having
the directory world-executeable will allow other users on the system to
detect the presence of certain files in their directory (like .rhosts,
.forward, .promcail, .pinerc) that may allow them to launch attacks at
that particular user, knowing that there's a good chance that the user
uses a vulnerable package, and quite possibly even the last time they used
it depending on the file.
After seeing the post on freshmeat, it occurred to me that I had forgotten
to email Felix the patch for 1.18 that took care of the punctuation as
well as a few other issues, and I now notice that I sent him the wrong
version of the patch this morning anyway. (A version which did not have
the directory mode issue fixed, but at least my binary has been working
all this time thankfully.) Eilon Gishri dealt with it a lot more
elegantly than I did anyway. ;)
Attached is a patch which applies to the 1.20 version of Fefe's Finger
Daemon, which includes both Eilon Gishri's patches to deal with paranoid
users whose home directories are mode 700 (the punctuation problem had
already been fixed in 1.20), and my misdirection patches that
add the .fakefinger (lets users controly exactly what will be returned
when they are fingered) file use, and the /etc/ffingerd.empty and
/etc/ffingerd.indirect files which allow a sysadmin to change what kind of
message is sent to people when they try indirect or empty finger queries
without having to edit the source and recompile the daemon.
----------
Unsolicited commercial email sent to this address will be forwarded to
[email protected], or responded to late in the evening after I've been clubbing
long enough to be fairly drunk, and at least twice as verbally abusive.
`