Bugtraq mailing list archives

Re: Forwared to me

From: medeiros () ENG USF EDU (Raymond Medeiros)
Date: Thu, 9 Jul 1998 22:13:41 -0400


I would have to only completely agree with you.  This fix which was
contained in the ISS security announcement was indeed very weak.  My
suggestion was to at the very least deny access to finger requests from
the outside.  This attack really isn't that bad however I have been able
to take out a machine on my own subnet using a simple perl script.  In
reality it doesn't appear to be more of a threat than a ping flood.  I
have also looked into using it as part of the beginning to a spoofing
attack (under controlled conditions of course) and it has no apparent
value.  Never the less it should be brought to everyones attention as it
is such a simple implementation and just one more reason to be suspicious
of the use of yp.

-------------------------------------------------------------------------------
Raymond R Medeiros II                   email: medeiros () eng usf edu
Junior Systems Administrator            www: http://www.eng.usf.edu/~medeiros
Engineering Computing
University of South Florida

On Fri, 10 Jul 1998, Solar Designer wrote:

Hello,

# mv /usr/bin/finger /usr/bin/finger.exe
# cat > /usr/bin/finger
#!/bin/sh
exec /usr/bin/finger.exe -m $*
^D
# chmod +x /usr/bin/finger


Hmm, weird, this doesn't look safe to me. Why trust the extra parsing done
by the shell? Look at this:

sunny:~$ finger "a -b"
finger: a -b: no such user.

sunny:~$ finger a -b
finger: illegal option -- b
usage: finger [-lmps] [login ...]

Now, many implementations of fingerd just run finger on data received from
the remote, doing some sanity checks first, and splitting the arguments
for execv(). These checks often include denying passing of some or all
options to finger. If fingerd knows about less word separators than the
shell does, then an attacker might be able to pass a forbidden option to
finger. For example, if our fingerd didn't know about tabs (which isn't a
security hole yet: our fingerd uses execv(), remember?), a remote attacker
could send us "user\t-option".

I admit that the problem isn't serious: not all fingerd's are done this
way, forbidden finger options are likely to violate someone's privacy
only, etc. Still, it's not a good idea to trust the shell, in general.

Signed,
Solar Designer

Current thread:

Re: ncurses 4.1 security bug, (continued)
- - - Re: ncurses 4.1 security bug matthew green (Jul 10)
    - Re: ncurses 4.1 security bug Theo de Raadt (Jul 10)
    - Re: ncurses 4.1 security bug Wietse Venema (Jul 12)
    - Seattle Lab fixes security issue in SLmail Aleph One (Jul 12)
    - Re: ncurses 4.1 security bug David Schwartz (Jul 09)
    - sshd gives out version number Tom Dyas (Jul 09)
  - Forwared to me Raymond Medeiros (Jul 08)
    - Re: Forwared to me Solar Designer (Jul 09)
    - Remote count.cgi exploit mods _ _ (Jul 09)
    - Re: Remote count.cgi exploit mods Gus (Jul 11)
    - Re: Forwared to me Raymond Medeiros (Jul 09)
    - socks5 1.0r5 buffer overflow.. Zach Brown (Jul 10)
    - Re: Forwared to me Toomas Soome (Jul 10)
    - Re: Forwared to me Michael H. Warfield (Jul 13)
    - Re: Forwared to me Raymond Medeiros (Jul 13)
    - Re: Forwared to me Toomas Soome (Jul 13)
    - Re: Forwared to me Michael H. Warfield (Jul 13)
    - Re: Forwared to me Jason Downs (Jul 13)
    - Re: Forwared to me Illuminatus Primus (Jul 13)
    - Netware 4.x Attack Tool Announcement Simple Nomad (Jul 13)
- Re: ncurses 4.1 security bug Casper Dik (Jul 09)

(Thread continues...)