[3038] in WWW Security List Archive
Re[2]: SUMMARY: Finger& Security Problems
daemon@ATHENA.MIT.EDU (Mark_W_Loveless@smtp.bnr.com)
Mon Sep 23 15:48:16 1996
From: Mark_W_Loveless@smtp.bnr.com
Date: Mon, 23 Sep 96 11:50:22 CST
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Although most if not all modern fingerd's are not vulnerable to the
infamous worm hole, the fact is that finger allows a user who is not
on your system to see info (depending on configuration of your system)
like a user's full name, last time logged in, the shell used, if they
have mail, where they last logged in from, possibly phone number and
anything else the user (or admin) put in gecos. If you have no problem
with an outsider knowing this, then running fingerd is no problem.
Just be aware that idle accounts (especially one that has never been
logged into with a shell) might be a temptation to some individuals to
access your system.
If on your local network you wish to allow fingering but not from the
outside, consider using tcp_wrapper and limiting access to fingerd to
YOUR network only.
A bit off-topic, but....
Mark_W_Loveless@smtp.bnr.com
Opinions my own, not my employer
______________________________ Reply Separator _________________________________
Subject: Re: SUMMARY: Finger& Security Problems
Author: Chris Garrigues <cwg@DeepEddy.Com> at internet
Date: 9/21/96 7:13 AM
--===_-1_Fri_Sep_20_15:04:09_CDT_1996
Content-Type: text/plain; charset=us-ascii
> My original question was if there were any security concerns with
> allowing users to finger your system. The result of the answers I
> acquired was no. The fingering may give more information then you want
> them to have however, you can easily limit the amount of information
> that the people get.
I'm surprised you didn't get any cautionary messages to make sure that you're
running a reasonably modern version of the finger daemon on your system.
finger was one of the paths that the internet worm used to infiltrate Unix
systems. This was due to a missing bounds check in libc that allowed the
input to overrun into the executable code and thereby modify it on the fly.
A fine example of how even the most innocent seeming protocol can be a problem
if the implementation is buggy.
Chris
--
Chris Garrigues O- cwg@DeepEddy.Com
Deep Eddy Internet Consulting +1 512 432 4046
609 Deep Eddy Avenue
Austin, TX 78703-4513 http://www.DeepEddy.Com/~cwg/
--===_-1_Fri_Sep_20_15:04:09_CDT_1996
Content-Type: application/pgp-signature
-----BEGIN PGP MESSAGE-----
Version: 2.6.2
iQB1AwUBMkL4tJaQnaaFII2dAQHyegMAvBHUjeoDh2vE2/5IiCE7/LfxyeTC2S+d
orEPAGbtUzRRHfnMKGigMKTm74kP2HbyHZoOnn0y3qc0RKJZTAObxa6ZTYcMA0l8
V3BUNQP4qcguvUPT8iYstFhMjJWJEnX3
=8dm2
-----END PGP MESSAGE-----
--===_-1_Fri_Sep_20_15:04:09_CDT_1996--
