Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: in.fingerd follows sym-links on Solaris 8
From: "J. Bol" <j.bol () itsec nl>
Date: Mon, 28 May 2001 14:57:40 +0200

On a Solaris 8, i386 machine, I did the following:

$ ls -al
drwxr-xr-x  4  j      other   512 May 28, 14:12 .
drwxr-xr-x  5  root   root    512 May 28, 14:10 ..
lrwxrwxrwx  1  j      other     6 May 28, 14:12 .plan -> myplan
-rw-------  1  nobody nobody   17 May 28, 14:12 myplan
$ finger -l j () localhost
[localhost]
Login name: j
Directory name: /export/home/j           Shell: /bin/sh
Last login Mon May 28, 14:12 on console from :0
No unread mail.
No plan.

After I changed the mod of myplan to world-readable, finger gave me

$ finger -l j () localhost
[localhost]
Login name: j
Directory name: /export/home/j           Shell: /bin/sh
Last login Mon May 28, 14:12 on console from :0
No unread mail.
Plan:
This is my plan.

So I'd say in.fingerd is not vulnerable for the symlink attack you
describe.

J. Bol

Lukasz Luzar wrote:

Hello,

 Ok, the example wasn't good.
 It was a long day for me, thus, please forgive me that slip-up.

 The sym-links attack is very useful when you want to read
 files that are readable only by unprivileged user.

 On example, many httpd servers works with the same privilages,
 it means that you can read any CGI temporary file, and other
 files readable only by CGI scripts.

 I think about a case where a CGI script saves some important
 information in a temporary file, like PHP do with the sessions:

  -rw------- 1 nobody nobody    329 May 14 12:16  /tmp/sess_0cd156a633

 When you have installed in.fingerd, and the in.fingerd is vulnerable,
 all local users are able to read the information from the files.

 There are few other examples.

--
Lukasz Luzar
http://Developers.of.PL/
Crede quod habes, et habes

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault