[3017] in WWW Security List Archive
Re: SUMMARY: Finger& Security Problems
daemon@ATHENA.MIT.EDU (Chris Garrigues)
Fri Sep 20 18:06:30 1996
To: "Antonio" <amclean@surviac.flight.wpafb.af.mil>
Cc: www-security@ns2.rutgers.edu, cwg@deepeddy.DeepEddy.Com
In-Reply-To: Your message of "Fri, 20 Sep 1996 09:15:55 EDT."
<960920091557.ZM10343@mcleanat>
Date: Fri, 20 Sep 1996 15:04:10 -0500
From: Chris Garrigues <cwg@DeepEddy.Com>
Errors-To: owner-www-security@ns2.rutgers.edu
--===_-1_Fri_Sep_20_15:04:09_CDT_1996
Content-Type: text/plain; charset=us-ascii
> My original question was if there were any security concerns with
> allowing users to finger your system. The result of the answers I
> acquired was no. The fingering may give more information then you want
> them to have however, you can easily limit the amount of information
> that the people get.
I'm surprised you didn't get any cautionary messages to make sure that you're
running a reasonably modern version of the finger daemon on your system.
finger was one of the paths that the internet worm used to infiltrate Unix
systems. This was due to a missing bounds check in libc that allowed the
input to overrun into the executable code and thereby modify it on the fly.
A fine example of how even the most innocent seeming protocol can be a problem
if the implementation is buggy.
Chris
--
Chris Garrigues O- cwg@DeepEddy.Com
Deep Eddy Internet Consulting +1 512 432 4046
609 Deep Eddy Avenue
Austin, TX 78703-4513 http://www.DeepEddy.Com/~cwg/
--===_-1_Fri_Sep_20_15:04:09_CDT_1996
Content-Type: application/pgp-signature
-----BEGIN PGP MESSAGE-----
Version: 2.6.2
iQB1AwUBMkL4tJaQnaaFII2dAQHyegMAvBHUjeoDh2vE2/5IiCE7/LfxyeTC2S+d
orEPAGbtUzRRHfnMKGigMKTm74kP2HbyHZoOnn0y3qc0RKJZTAObxa6ZTYcMA0l8
V3BUNQP4qcguvUPT8iYstFhMjJWJEnX3
=8dm2
-----END PGP MESSAGE-----
--===_-1_Fri_Sep_20_15:04:09_CDT_1996--
