[170] in linux-security and linux-alert archive
Re: finger @ bug
daemon@ATHENA.MIT.EDU (Michael Shields)
Thu Mar 16 03:17:31 1995
To: shields@tembel.org (Michael Shields)
Date: Wed, 15 Mar 1995 17:21:40 -0500 (EST)
Cc: rzm@oso.chalmers.se, linux-security@tarsier.cv.nrao.edu,
flla@stud.uni-sb.de
In-Reply-To: <m0rokjV-000DO5C@yage.tembel.org> from "Michael Shields" at Mar 14, 95 11:30:53 pm
From: shields@tembel.org (Michael Shields)
Yesterday I wrote:
> This is easy to fix. Here's a patch I wrote just now. This is against
> the fingerd in NetKit-B 0.06.
After some thought, here's a patch that gives better log messages by
looking up the hostname of the remote system, and using openlog(3).
It also sends an error to the remote user, rather than simply truncating;
this is less-astonishing.
diff -u -r1.1.1.1 fingerd.c
--- 1.1.1.1 1994/08/29 04:35:25
+++ fingerd.c 1995/03/15 22:17:25
@@ -49,6 +54,8 @@
#include <sys/utsname.h>
#include <string.h>
#include <netdb.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
main(argc, argv)
@@ -63,8 +70,12 @@
register char *lp;
int p[2];
#define ENTRIES 50
- char **ap, *av[ENTRIES + 1], line[1024], *strtok();
+ char **ap, *av[ENTRIES + 1], line[1024], *cp, *strtok();
int welcome = 0;
+ struct sockaddr_in sin;
+ int sval;
+ struct hostent *remotehost;
+ const char *remotename;
opterr = 0;
while ((ca = getopt(argc, argv, "w")) != EOF)
@@ -80,15 +91,17 @@
argc -= optind;
argv += optind;
-#ifdef LOGGING /* unused for now */
-#include <netinet/in.h>
- struct sockaddr_in sin;
- int sval;
-
sval = sizeof(sin);
- if (getpeername(0, &sin, &sval) < 0)
+ if (getpeername(0, (struct sockaddr *) &sin, &sval) < 0)
fatal("getpeername");
-#endif
+ remotehost = gethostbyaddr((const char *) &sin.sin_addr,
+ sizeof(sin), AF_INET);
+ if (remotehost)
+ remotename = remotehost->h_name;
+ else
+ remotename = inet_ntoa(sin.sin_addr);
+
+ openlog("fingerd", LOG_PID, LOG_DAEMON);
if (!fgets(line, sizeof(line), stdin))
exit(1);
@@ -117,6 +130,15 @@
*ap = strtok(lp, " \t\r\n");
if (!*ap)
break;
+ /* Guard against recursive fingers or `jrn@@@foovax'. */
+ if (cp = strchr(*ap, '@')) {
+ syslog(LOG_WARNING,
+ "`@' in finger request from %s; that's suspicious",
+ remotename);
+ printf("Recursive fingering not allowed!\r\n");
+ fflush(stdout);
+ exit(0);
+ }
/* RFC742: "/[Ww]" == "-l" */
if ((*ap)[0] == '/' && ((*ap)[1] == 'W' || (*ap)[1] == 'w'))
*ap = "-l";
--
Shields.
