FreeBSD fingerd File Disclosure Vulnerability
BID:1803
Info
FreeBSD fingerd File Disclosure Vulnerability
| Bugtraq ID: | 1803 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Oct 13 2000 12:00AM |
| Updated: | Oct 13 2000 12:00AM |
| Credit: | This vulnerability was reported to bugtraq by FreeBSD Security Advisories <[email protected]> on Fri, 13 Oct 2000. The advisory credits NIIMI Satoshi <[email protected]>. |
| Vulnerable: |
FreeBSD FreeBSD 4.1.1 -RELEASE |
| Not Vulnerable: | |
Discussion
FreeBSD fingerd File Disclosure Vulnerability
A vulnerability exists in the version of fingerd that ships with FreeBSD 4.1.1-RELEASE. This vulnerability has to do with a feature that was added to fingerd allowing users to request the contents of certain files (administrator-specified) remotely, via the finger client. Unfortunately, the client can request the contents of any file or listing of any directory on the server's filesystem readable to user 'nobody', bypassing the access restrictions. The information obtained (eg. valid usernames, possibly cgi source code, http passwd files) may be used for more complicated/targeted attacks.
fingerd sets its uid as 'nobody' and executes the finger client locally when opening the requested file. Because of this, reading the contents of "secure" files such as /etc/master.passwd is not possible via this vulnerability.
A vulnerability exists in the version of fingerd that ships with FreeBSD 4.1.1-RELEASE. This vulnerability has to do with a feature that was added to fingerd allowing users to request the contents of certain files (administrator-specified) remotely, via the finger client. Unfortunately, the client can request the contents of any file or listing of any directory on the server's filesystem readable to user 'nobody', bypassing the access restrictions. The information obtained (eg. valid usernames, possibly cgi source code, http passwd files) may be used for more complicated/targeted attacks.
fingerd sets its uid as 'nobody' and executes the finger client locally when opening the requested file. Because of this, reading the contents of "secure" files such as /etc/master.passwd is not possible via this vulnerability.
Exploit / POC
FreeBSD fingerd File Disclosure Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
FreeBSD fingerd File Disclosure Vulnerability
Solution:
From FreeBSD Advisory FreeBSD-SA-00:54 (attached in full in Credits section):
Solution
One of the following:
1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE dated after
the correction date.
2) Apply the patch below and rebuild your fingerd binary.
Either save this advisory to a file, or download the patch and
detached PGP signature from the following locations, and verify the
signature using your PGP utility.
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:54/fingerd.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:54/fingerd.patch.asc
# cd /usr/src/usr.bin/finger
# patch -p < /path/to/patch_or_advisory
# make all install
# cd /usr/src/libexec/fingerd
# make all install
Patch for vulnerable 4.1.x systems:
Index: finger.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/finger/finger.c,v
retrieving revision 1.15.2.3
retrieving revision 1.21
diff -u -r1.15.2.3 -r1.21
--- finger.c 2000/09/15 21:51:00 1.15.2.3
+++ finger.c 2000/10/05 15:56:13 1.21
@@ -293,6 +293,16 @@
goto net;
/*
+ * Mark any arguments beginning with '/' as invalid so that we
+ * don't accidently confuse them with expansions from finger.conf
+ */
+ for (p = argv, ip = used; *p; ++p, ++ip)
+ if (**p == '/') {
+ *ip = 1;
+ warnx("%s: no such user", *p);
+ }
+
+ /*
* Traverse the finger alias configuration file of the form
* alias:(user|alias), ignoring comment lines beginning '#'.
*/
@@ -323,11 +333,11 @@
* gathering the traditional finger information.
*/
if (mflag)
- for (p = argv; *p; ++p) {
- if (**p != '/' || !show_text("", *p, "")) {
+ for (p = argv, ip = used; *p; ++p, ++ip) {
+ if (**p != '/' || *ip == 1 || !show_text("", *p, "")) {
if (((pw = getpwnam(*p)) != NULL) && !hide(pw))
enter_person(pw);
- else
+ else if (!*ip)
warnx("%s: no such user", *p);
}
}
Solution:
From FreeBSD Advisory FreeBSD-SA-00:54 (attached in full in Credits section):
Solution
One of the following:
1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE dated after
the correction date.
2) Apply the patch below and rebuild your fingerd binary.
Either save this advisory to a file, or download the patch and
detached PGP signature from the following locations, and verify the
signature using your PGP utility.
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:54/fingerd.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:54/fingerd.patch.asc
# cd /usr/src/usr.bin/finger
# patch -p < /path/to/patch_or_advisory
# make all install
# cd /usr/src/libexec/fingerd
# make all install
Patch for vulnerable 4.1.x systems:
Index: finger.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/finger/finger.c,v
retrieving revision 1.15.2.3
retrieving revision 1.21
diff -u -r1.15.2.3 -r1.21
--- finger.c 2000/09/15 21:51:00 1.15.2.3
+++ finger.c 2000/10/05 15:56:13 1.21
@@ -293,6 +293,16 @@
goto net;
/*
+ * Mark any arguments beginning with '/' as invalid so that we
+ * don't accidently confuse them with expansions from finger.conf
+ */
+ for (p = argv, ip = used; *p; ++p, ++ip)
+ if (**p == '/') {
+ *ip = 1;
+ warnx("%s: no such user", *p);
+ }
+
+ /*
* Traverse the finger alias configuration file of the form
* alias:(user|alias), ignoring comment lines beginning '#'.
*/
@@ -323,11 +333,11 @@
* gathering the traditional finger information.
*/
if (mflag)
- for (p = argv; *p; ++p) {
- if (**p != '/' || !show_text("", *p, "")) {
+ for (p = argv, ip = used; *p; ++p, ++ip) {
+ if (**p != '/' || *ip == 1 || !show_text("", *p, "")) {
if (((pw = getpwnam(*p)) != NULL) && !hide(pw))
enter_person(pw);
- else
+ else if (!*ip)
warnx("%s: no such user", *p);
}
}
References
FreeBSD fingerd File Disclosure Vulnerability
References:
References: