Bugtraq mailing list archives

Re: cfingerd vulnerability

From: emarshal () COMMON NET (Edward S. Marshall)
Date: Sat, 24 May 1997 23:41:24 -0500


(This has been cc'd to both Ken Hollis and David Holland, for reasons that
shall become apparent...)

On Fri, 23 May 1997, Rodrigo Barbosa wrote:

Thats ok, but you can use keymasks. And if you do:

finger search.*@host

you can get a list of all the users in the system.

I've tried it if cfinger 1.2.2 (probably it is not the latest version).


1.3.2 still has the vulnerability, but you need to supply:

finger search.**@host

instead.

This is NotNice(tm). I've CC'd Ken Hollis with this note as well, to make
sure that he's seen it (why do people just mail bugtraq with these things,
instead of emailing authors? Grr...).

Everyone should consider disabling searches if you're running cfingerd.
Ken, would it be possible to have an additional option (if it's not
already in a newer version) to disable any wildcard/regexp matches?

Also, I've heard various reports of cfingerd having security problems in
the past. Has anyone considered sitting down with it and doing a complete
security audit? It's a nice tool to have, but if it's insecure, it
presents a problem. I'm mainly concerned with buffer overruns and other
similar problems, since it does require that you run it as root.

Aw, hell...let me take a stab at Ken's FAQ points on why it has to run as
root, and see if we can't dispel some of these myths:

Point A: cfingerd.conf file should only be readable by root.

Rebuttal: False. It should be read-only by a user that you specify; in
          the case of cfingerd, I'd be more than happy to assign it a
          particular user (say, "finger") to own all of the files.

Point B: In order to change uid/gid to particular users, you must run as
         root.

Rebuttal: True, but what about those of us who don't want users running
          scripts anyway, or are willing to sacrifice that feature for
          security? This should be optional, or you might consider
          employing a modification of the minimal setuid wrapper that
          Apache 1.2 uses to execute CGI scripts for users. This would
          limit the necessity for a setuid binary to a single, tiny,
          auditable program, as opposed to your entire source tree.

Point C: cfingerd may not be able to read .plan or .project files.

Rebuttal: Too bad. Seriously. This is a permissions issue; if the user
          in question doesn't want anything poking into their directory,
          they most certainly should be able to reject intrusions into it.
          As well, most users who make .plan and .project files available
          usually have other files in their home directory that are meant
          for public consumption (when is the last time you considered
          running a web server as root, so that users wouldn't have to
          worry about the permissions on their html directory trees?).

Point D: running as nobody ensures total security

Rebuttal: Ken, come on. This is a falsehood, pure and simple. I won't even
          go into this any further; this is attempting to make the users
          feel better about running as root.

I understand that you've probably been careful with writing cfingerd, Ken,
but running a server like this as root is asking for trouble. You compare
cfingerd and sendmail; there's a reason I switched our systems over to
qmail over sendmail. It's the same reason I'm considering scrapping
cfingerd, and engineering one myself that does what I need.

Plain and simple: cfingerd has no legitimate reason for running as root,
but you have code in place to ensure that I, as the administrator, have no
choice but to do so (the "this daemon must be run as root" problem).

Ken, have you found a new maintainer for cfingerd? If not...then David:
would you be willing to integrate cfingerd into the NetKit package (with
some security auditing)? Might make a nice addition...:-)

--
.-----------------------------------------------------------------------------.
| Edward S. Marshall <emarshal () common net> | CII Technical Administrator,     |
| http://www.common.net/~emarshal/         | Vice-President, Common Internet  |
| Finger for PGP public key.               | Inc, and Linux & LPmud (ab)user. |
`-----------------------------------------------------------------------------'

Current thread:

OOB Bug stills persists after hot fix Matthew Dovey (May 17)
- <Possible follow-ups>
- Re: OOB Bug stills persists after hot fix Dan Freise (May 19)
  - Re: OOB Bug stills persists after hot fix Ervin Fried (May 20)
    - Re: OOB Bug stills persists after hot fix Ervin Fried (May 20)
- Re: OOB Bug stills persists after hot fix Ervin Fried (May 22)
  - New M$ TCP/IP bug found.... got the NT Blue's yet? Kelly E. Gibbs (May 22)
  - PMDF sendmail vulnerability Jonathan Rozes (May 23)
  - Update to Windows 95 TCP/IP to Address Out-of-Band Issue Aleph One (May 23)
  - [WinNT] Post-SP3 Hotfix Avail for Macintosh OOB DOS Attack Sam Schlansky (May 23)
  - cfingerd vulnerability Rodrigo Barbosa (May 23)
    - Re: cfingerd vulnerability Edward S. Marshall (May 24)
    - Re: cfingerd vulnerability Ken Hollis (May 24)
    - Re: cfingerd vulnerability Alan Brown (May 25)
    - Re: cfingerd vulnerability Michael Stone (May 25)
    - winnuke in one line of perl5.004 Randal Schwartz (May 25)
    - Re: cfingerd vulnerability Felix von Leitner (May 25)
  - Irix buffer overflow in /bin/df David Hedley (May 24)
    - Re: Irix buffer overflow in /bin/df J.A. Gutierrez (May 24)
    - Irix: Pandora's box opened Yuri Volobuev (May 24)
    - BitchX p139 script the lerPer (May 24)
    - ANNOUNCE: chkwtmp, a wtmp intrusion detection anaylzer (Linux) Silvio Cesare (May 25)

(Thread continues...)