Bugtraq mailing list archives
Re: cfingerd vulnerability
From: emarshal () COMMON NET (Edward S. Marshall)
Date: Sat, 24 May 1997 23:41:24 -0500
(This has been cc'd to both Ken Hollis and David Holland, for reasons that shall become apparent...) On Fri, 23 May 1997, Rodrigo Barbosa wrote:
Thats ok, but you can use keymasks. And if you do: finger search.*@host you can get a list of all the users in the system. I've tried it if cfinger 1.2.2 (probably it is not the latest version).
1.3.2 still has the vulnerability, but you need to supply: finger search.**@host instead. This is NotNice(tm). I've CC'd Ken Hollis with this note as well, to make sure that he's seen it (why do people just mail bugtraq with these things, instead of emailing authors? Grr...). Everyone should consider disabling searches if you're running cfingerd. Ken, would it be possible to have an additional option (if it's not already in a newer version) to disable any wildcard/regexp matches? Also, I've heard various reports of cfingerd having security problems in the past. Has anyone considered sitting down with it and doing a complete security audit? It's a nice tool to have, but if it's insecure, it presents a problem. I'm mainly concerned with buffer overruns and other similar problems, since it does require that you run it as root. Aw, hell...let me take a stab at Ken's FAQ points on why it has to run as root, and see if we can't dispel some of these myths: Point A: cfingerd.conf file should only be readable by root. Rebuttal: False. It should be read-only by a user that you specify; in the case of cfingerd, I'd be more than happy to assign it a particular user (say, "finger") to own all of the files. Point B: In order to change uid/gid to particular users, you must run as root. Rebuttal: True, but what about those of us who don't want users running scripts anyway, or are willing to sacrifice that feature for security? This should be optional, or you might consider employing a modification of the minimal setuid wrapper that Apache 1.2 uses to execute CGI scripts for users. This would limit the necessity for a setuid binary to a single, tiny, auditable program, as opposed to your entire source tree. Point C: cfingerd may not be able to read .plan or .project files. Rebuttal: Too bad. Seriously. This is a permissions issue; if the user in question doesn't want anything poking into their directory, they most certainly should be able to reject intrusions into it. As well, most users who make .plan and .project files available usually have other files in their home directory that are meant for public consumption (when is the last time you considered running a web server as root, so that users wouldn't have to worry about the permissions on their html directory trees?). Point D: running as nobody ensures total security Rebuttal: Ken, come on. This is a falsehood, pure and simple. I won't even go into this any further; this is attempting to make the users feel better about running as root. I understand that you've probably been careful with writing cfingerd, Ken, but running a server like this as root is asking for trouble. You compare cfingerd and sendmail; there's a reason I switched our systems over to qmail over sendmail. It's the same reason I'm considering scrapping cfingerd, and engineering one myself that does what I need. Plain and simple: cfingerd has no legitimate reason for running as root, but you have code in place to ensure that I, as the administrator, have no choice but to do so (the "this daemon must be run as root" problem). Ken, have you found a new maintainer for cfingerd? If not...then David: would you be willing to integrate cfingerd into the NetKit package (with some security auditing)? Might make a nice addition...:-) -- .-----------------------------------------------------------------------------. | Edward S. Marshall <emarshal () common net> | CII Technical Administrator, | | http://www.common.net/~emarshal/ | Vice-President, Common Internet | | Finger for PGP public key. | Inc, and Linux & LPmud (ab)user. | `-----------------------------------------------------------------------------'
Current thread:
- OOB Bug stills persists after hot fix Matthew Dovey (May 17)
- <Possible follow-ups>
- Re: OOB Bug stills persists after hot fix Dan Freise (May 19)
- Re: OOB Bug stills persists after hot fix Ervin Fried (May 20)
- Re: OOB Bug stills persists after hot fix Ervin Fried (May 20)
- Re: OOB Bug stills persists after hot fix Ervin Fried (May 20)
- Re: OOB Bug stills persists after hot fix Ervin Fried (May 22)
- New M$ TCP/IP bug found.... got the NT Blue's yet? Kelly E. Gibbs (May 22)
- PMDF sendmail vulnerability Jonathan Rozes (May 23)
- Update to Windows 95 TCP/IP to Address Out-of-Band Issue Aleph One (May 23)
- [WinNT] Post-SP3 Hotfix Avail for Macintosh OOB DOS Attack Sam Schlansky (May 23)
- cfingerd vulnerability Rodrigo Barbosa (May 23)
- Re: cfingerd vulnerability Edward S. Marshall (May 24)
- Re: cfingerd vulnerability Ken Hollis (May 24)
- Re: cfingerd vulnerability Alan Brown (May 25)
- Re: cfingerd vulnerability Michael Stone (May 25)
- winnuke in one line of perl5.004 Randal Schwartz (May 25)
- Re: cfingerd vulnerability Felix von Leitner (May 25)
- Irix buffer overflow in /bin/df David Hedley (May 24)
- Re: Irix buffer overflow in /bin/df J.A. Gutierrez (May 24)
- Irix: Pandora's box opened Yuri Volobuev (May 24)
- BitchX p139 script the lerPer (May 24)
- ANNOUNCE: chkwtmp, a wtmp intrusion detection anaylzer (Linux) Silvio Cesare (May 25)