Vulnerability Development mailing list archives

Re: report finger gives long list of users

From: "Juan M. Courcoul" <courcoul () campus qro itesm mx>
Date: Wed, 28 Mar 2001 10:59:53 -0600

Granted that this is a security breach that should be addressed at the source, but perhaps the sysadmin should take a 
good hard look and decide if the finger service is REALLY needed. In a single purpose dedicated host, do you need to 
know who is logged in via telnet or what the account's vital stats are ?

At the very least, you should protect it via a TCP Wrapper or suchlike, so that only trusted hosts can have access.

JMC

Joseph Nicholas Yarbrough wrote:


I can confirm this "feature" on solaris 8.

"finger 0@localhost" & "finger 1234567@localhost" both return the list of
users.

-Nick

On Tuesday 27 March 2001 22:19, warning3 wrote:

If you use digits as username, Solaris "finger" will list the users who
have not configured full name in /etc/passwd.

I heard that DG-UX  has this "feature" too.

[root@ /]> uname -sr
SunOS 5.6
[root@ /]> cat /etc/passwd
root:x:0:1:Super-User:/:/bin/bash
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x Nobody:/:
blah:x:501:100::/export/home/blah:/bin/sh

[root@ /]> finger 1234567@localhost
[localhost]
Login       Name               TTY         Idle    When    Where
daemon          ???                         < .  .  .  . >
bin             ???                         < .  .  .  . >
sys             ???                         < .  .  .  . >
blah            ???            pts/1        <Mar  7 21:55> xx.xx.xx.xx



---Original Message---

From : "Larry W. Cashdollar" <lwc () VAPID DHS ORG>


Date : Fri, 23 Mar 2001 12:37:12 -0500

This is actually an old problem where you could finger 0@sunhost and get
a list of users.  It appears it still works for solaris 2.7, not sure
about 2.8.


Regards,
warning3 <warning3 () nsfocus com>
http://www.nsfocus.com

Current thread:

report finger gives long list of users Jens Hektor (Mar 20)
- Re: report finger gives long list of users John Galt (Mar 23)
  - Re: report finger gives long list of users Jens Hektor (Mar 23)
  - Re: report finger gives long list of users Larry W. Cashdollar (Mar 25)
    - Re: report finger gives long list of users warning3 (Mar 28)
    - Re: report finger gives long list of users Joseph Nicholas Yarbrough (Mar 28)
    - Re: report finger gives long list of users Juan M. Courcoul (Mar 28)
    - Re: report finger gives long list of users Air Force Guy (Mar 28)
    - Re: report finger gives long list of users Meritt James (Mar 28)
    - Re: report finger gives long list of users Edsel Adap (Mar 28)
    - Re: report finger gives long list of users olle (Mar 28)
- <Possible follow-ups>
- Re: report finger gives long list of users Robert G. Ferrell (Mar 28)
- Re: report finger gives long list of users Schott, Erik (CORP, GEAccess) (Mar 28)