[166] in linux-security and linux-alert archive

home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: finger @ bug

daemon@ATHENA.MIT.EDU (Michael Shields)
Wed Mar 15 07:15:16 1995

To: rzm@oso.chalmers.se (Rafal Maszkowski)
Date: Tue, 14 Mar 1995 23:30:53 -0500 (EST)
Cc: linux-security@tarsier.cv.nrao.edu, flla@stud.uni-sb.de
In-Reply-To: <9503140123.AA08850@oden.oso.chalmers.se> from "Rafal Maszkowski" at Mar 14, 95 02:23:04 am
From: shields@tembel.org (Michael Shields)

This is easy to fix.  Here's a patch I wrote just now.  This is against
the fingerd in NetKit-B 0.06.

--- 1.1.1.1	1994/08/29 04:35:25
+++ fingerd.c	1995/03/15 04:26:08
@@ -49,6 +54,8 @@
 #include <sys/utsname.h>
 #include <string.h>
 #include <netdb.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
 
 
 main(argc, argv)
@@ -63,8 +70,10 @@
 	register char *lp;
 	int p[2];
 #define	ENTRIES	50
-	char **ap, *av[ENTRIES + 1], line[1024], *strtok();
+	char **ap, *av[ENTRIES + 1], line[1024], *cp, *strtok();
 	int welcome = 0;
+	struct sockaddr_in sin;
+	int sval;
 
 	opterr = 0;
 	while ((ca = getopt(argc, argv, "w")) != EOF)
@@ -80,15 +89,9 @@
 	argc -= optind;
 	argv += optind;
 
-#ifdef LOGGING					/* unused for now */
-#include <netinet/in.h>
-	struct sockaddr_in sin;
-	int sval;
-
 	sval = sizeof(sin);
-	if (getpeername(0, &sin, &sval) < 0)
+	if (getpeername(0, (struct sockaddr *) &sin, &sval) < 0)
 		fatal("getpeername");
-#endif
 
 	if (!fgets(line, sizeof(line), stdin))
 		exit(1);
@@ -117,6 +120,13 @@
 		*ap = strtok(lp, " \t\r\n");
 		if (!*ap)
 			break;
+		/* Guard against recursive fingers or `jrn@@@foovax'. */
+		if (cp = strchr(*ap, '@')) {
+			syslog(LOG_WARNING | LOG_DAEMON,
+			       "`@' in finger request from %s; that's suspicious",
+			       inet_ntoa(sin.sin_addr));
+			*cp = 0;
+		}
 		/* RFC742: "/[Ww]" == "-l" */
 		if ((*ap)[0] == '/' && ((*ap)[1] == 'W' || (*ap)[1] == 'w'))
 			*ap = "-l";
-- 
Shields.

home	help	back	first	fref	pref	prev	next	nref	lref	last	post