Multiple vulnerabilities in akfingerd

[Gianni Tedesco <gianni () ecsc co uk>]

<INSERT ASCII BANNER AND ADVERTISING HERE>

PRODUCT.
akfingerd (http://synflood.at/akfingerd/)

EXPLOIT-ID.
ECSC Ltd. Official K-R4d E-Security Advertisory.
KR4D-VULN-ID-0-000-000-000-000-000-000-000-001

IMPORTANT SOUNDING DESCRIPTION.
Akfingerd is a 'secure' finger server used by noone blah blah..

VERSIONS AFFECTED (to make it sound scientific).
0.5, probably all other versions, past and future.

LIST OF K-RAD VULNS.
1. Remote user can cause DoS. To reproduce, simply connect to the finger
server. For the duration of your connection, no one else can connect.

2. Local user can kill akfingerd. He must simply symlink his .plan file
to /dev/urandom. He then fingers his user, while akfingerd is spewing
the data, disconnect. Akfingerd fails to handle SIGPIPE properly and
exits.

3. User can read files owned by user 'nobody'. ln -s /some/file ~/.plan.
Then you can read files owned by nobody. Interestingly enough there is
some weird code to lstat() the plan file first, then open it only if
lstat() is successful. I have _NO IDEA_ what that is for....

4. Fails to drop supplementary groups so using exploit 3 you can also
read any file group readable by the root group (0) - or any other
supplementary groups that root belongs to.

VENDOR NOTIFICATION STATUS FULL DISCLOSURE-O-RAMA.
I contacted the author months ago (probably more than a year now, I dont
have a copy of the email anymore). My problem is that the blurb
describes it as a 'secure' finger replacement. To which my only response
is no, no it isn't. This software is unlikely to be in use by anyone,
but it is interesting to see that that the hardest part of writing
secure software is evidently fitting the word in to the title. Security
through obscurity? Security through marketing. Unbreakable Trusted
Computing(tm).

PROOF-OF-CONCEPT HAIKU
 Connect to finger
 Stay connected, for a while
 Cherry blossom falls

FIXES/WORKAROUNDS
 10 PRINT Don't use it
 20 GOTO 10

FINAL THOUGHTS.
There are probably other exploits but the code is basically insecure by
design and pretty much unsalvagable. That said, try as I might, I
completely failed to find a 'cross site scripting' vulnerability in this
software.

DISCLAIMER (to make me sound sexy and dangerous).
Any spelling mistakes are the responisibility of the reader. If you
received this email in error then refer to terms and conditions in
article 3a. in accordance with the 1972 electronic fraud act and section
1.1b of the Bulgarian obscene conduct in public statute. Your livestock
are not affected.

(most likely coming soon: akpop3d, tiny-cron, .*secure.*d(a)?emon$, etc
etc...)

-- 
// TEAM K-R4D-VULN (fanmail: kr4dvulns at ecsc dot co dot uk) ECSC Ltd.
lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D

Attachment: signature.asc
Description: This is a digitally signed message part