Bugtraq mailing list archives
Ffingerd privacy issues
From: eilon () ARISTO TAU AC IL (Eilon Gishri)
Date: Fri, 23 Apr 1999 19:26:13 +0300
--b5gNqxB1S1yM7hjW
Content-Type: multipart/mixed; boundary=G4iJoqBmSsgzjUCe
--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Hi,
I found a couple of bugs in ffingerd 1.19 which are related to
privacy.
Here goes:
The permission on root's home directory are now 700 (/home/root).
-----
(aristo)/cc/eilon>finger root@host.domain
[host.domain]
Login: root Name: #6
No project.
No plan.
No public key.
-----
A lesson in how not to be seen. On host.domain, the user doesn't want
to be seen (please stand up :)). Too bad, his/her home directory's
permissions (which says 'I want some privacy') makes ffingerd state
otherwise. Ffingerd looks for the file .nofinger in the user's home
directory but due to the current state of permissions on it, it can't
be accessed thus "there is no such file" and there for is happy to
supply us with the user's information.
-----
# cd ~root
# ls -l .nofinger
-rw-r--r-- 1 root system 0 Apr 23 18:01 .nofinger
# ls -ld .
drwx------ 5 root system 512 Apr 23 18:01 .
# chmod 755 .
-----
Now lets try again.
-----
(aristo)/cc/eilon>finger root@host.domain
[host.domain]
That user does not want to be fingered
-----
Hmmm, now for an unknown user.
-----
(aristo)/cc/eilon>finger root1@host.domain
[host.domain]
That user does not want to be fingered.
-----
Oops. Notice the dot ('.') at the end of the sentence. A very simple
and efficient way to find whether the user exists on the remote host
or not (taking into account the fact that ffingerd has been installed
on the remote host).
Attached here a patch to fix those problems.
--=20
Eilon Gishri eilon () aristo tau ac il
Security Consultant Office: +972-3-6406723
Israel Inter University Computation Center Fax: +972-3-6409118
/* On a matter of national security */ Home: +972-3-5078671
--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="ffingerd-1.19.patch"
--- ffingerd.c.old Thu Feb 18 12:50:36 1999
+++ ffingerd.c Fri Apr 23 18:48:54 1999
@@ -134,7 +134,7 @@
setgid(pwd->pw_gid);
setuid(pwd->pw_uid);
sprintf(filename,"%.200s/.nofinger",pwd->pw_dir);
- if (lstat(filename,&stat_buf)) {
+ if((lstat(filename,&stat_buf) == -1) && (errno == ENOENT)) {
#ifndef NO_SYSLOG
#ifdef FASCIST_LOGGING
char message[512];
@@ -154,7 +154,7 @@
dump_file(filename,"Public key:","No public key.");
} else {
char message[512];
- puts("That user does not want to be fingered");
+ puts("That user does not want to be fingered.");
#ifndef NO_SYSLOG
sprintf(message,"attempt to finger \"%.200s\" from %.200s\n",pwd->pw_name,remote);
syslog(LOG_FACILITY,"%s",message);
--G4iJoqBmSsgzjUCe--
--b5gNqxB1S1yM7hjW
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
iQCVAwUBNyCfIvVKfLHHWKDtAQHExgP/RGQeg1byBqGTRlQzOUeKfDrPSteHjzNh
J2uGXE3Q7+i38HwuAfswSsF6VZgxCYDh527mJdWS10I+FZqnlpP19Oj5e3G85KSJ
Q/iEKu4e2pPiA6Bqk7+41OXnehbDIzSeA13yTx3v16O6IYg+qbWm3lvw9zW+4rG1
XQ/KP66UFwA=
=FSNu
-----END PGP SIGNATURE-----
--b5gNqxB1S1yM7hjW--
Current thread:
- Re: Bash Bug Andy Church (Apr 21)
- Re: Bash Bug Guy Cohen (Apr 22)
- WebShop advisory. Elaich Of Hhp (Apr 22)
- cold fusion scanner hYP0[13/\r (Apr 22)
- Re: Bash Bug Daniel Jacobowitz (Apr 22)
- Final Call for Papers - CQRE [Secure] networking Detlef Hühnlein (Apr 23)
- Ffingerd privacy issues Eilon Gishri (Apr 23)
- Re: Ffingerd privacy issues Felix von Leitner (Apr 23)
- Re: Ffingerd privacy issues Eilon Gishri (Apr 23)
- Re: Ffingerd privacy issues Dagmar d'Surreal (Apr 23)
- Re: Bash Bug Guy Cohen (Apr 22)
- Re: Bash Bug Ph. Rueegsegger (Apr 23)
- <Possible follow-ups>
- Re: Bash Bug Henrik Nordstrom (Apr 22)