Vulnerability Development mailing list archives

Re: report finger gives long list of users

From: "Larry W. Cashdollar" <lwc () VAPID DHS ORG>
Date: Fri, 23 Mar 2001 12:37:12 -0500

This is actually an old problem where you could finger 0@sunhost and get a
list of users.  It appears it still works for solaris 2.7, not sure about
2.8.

On Wed, 21 Mar 2001, John Galt wrote:

On Mon, 19 Mar 2001, Jens Hektor wrote:

Hi,

recently found on a compromised host somewhere a script containing the
following very interesting line was found:

    finger "0 1 2 3 4 5 6 7 8 9"@host

If "host" is a Solaris host with finger service enabled in /etc/inetd.conf,
one will get a complete (?) list of accounts on this system.


That's one WEIRD parse.  [0-9] should not return true for "sam".  I'd
suggest that the actual thing is that the kiddie (or one of their friends)
has a penchant for r00t users with numerical usernames to "hide".  Numeric
usernames are also common in FTP: perhaps they were looking for a ftpd
'sploit?

Workaround: disable finger service in /etc/inetd.conf


More Urgent workaround: disable all accounts you can't attach to a daemon
or person, or at least give them a shell of /bin/false.

For this is already found in the wild and there seems to be no patch for
this undocumented feature the vuln-dev list of security focus is included.


If it does as you say, it's documented in the protocol.  RFC 1288 section
3.2.6.

3.2.6.  {U} ambiguity
   Be aware that a malicious user's clever and/or persistent use of this
   feature can result in a list of most of the usernames on a system.
   Refusal of {U} ambiguity should be considered in the same vein as
   refusal of {C} requests (see section 3.2.2).

Best regards, Jens Hektor

--
Jens Hektor, RWTH Aachen, Rechenzentrum, Seffenter Weg 23, 52074 Aachen
Computing Center Technical University Aachen, firewalls/network security
mailto:hektor () RZ RWTH-Aachen DE, Tel.: +49 241 80 4866, Raum: 2.35
Private: Rochusstr. 26, D52062 Aachen, Fon: +49 241 29888, Fax: % 29889


--
EMACS == Eight Megabytes And Constantly Swapping

Who is John Galt?  galt () inconnu isu edu, that's who!

Current thread:

report finger gives long list of users Jens Hektor (Mar 20)
- Re: report finger gives long list of users John Galt (Mar 23)
  - Re: report finger gives long list of users Jens Hektor (Mar 23)
  - Re: report finger gives long list of users Larry W. Cashdollar (Mar 25)
    - Re: report finger gives long list of users warning3 (Mar 28)
    - Re: report finger gives long list of users Joseph Nicholas Yarbrough (Mar 28)
    - Re: report finger gives long list of users Juan M. Courcoul (Mar 28)
    - Re: report finger gives long list of users Air Force Guy (Mar 28)
    - Re: report finger gives long list of users Meritt James (Mar 28)
    - Re: report finger gives long list of users Edsel Adap (Mar 28)
    - Re: report finger gives long list of users olle (Mar 28)
- <Possible follow-ups>
- Re: report finger gives long list of users Robert G. Ferrell (Mar 28)
- Re: report finger gives long list of users Schott, Erik (CORP, GEAccess) (Mar 28)