[10332] in bugtraq
Ffingerd privacy issues
daemon@ATHENA.MIT.EDU (Eilon Gishri)
Fri Apr 23 13:23:49 1999
Mail-Followup-To: leitner@math.fu-berlin.de, BUGTRAQ@NETSPACE.ORG
Mime-Version: 1.0
Content-Type: multipart/signed; boundary=b5gNqxB1S1yM7hjW; micalg=pgp-md5;
protocol="application/pgp-signature"
Message-Id: <19990423192612.A20086@aristo.tau.ac.il>
Date: Fri, 23 Apr 1999 19:26:13 +0300
Reply-To: Eilon Gishri <eilon@ARISTO.TAU.AC.IL>
From: Eilon Gishri <eilon@ARISTO.TAU.AC.IL>
X-To: leitner@math.fu-berlin.de
To: BUGTRAQ@NETSPACE.ORG
--b5gNqxB1S1yM7hjW
Content-Type: multipart/mixed; boundary=G4iJoqBmSsgzjUCe
--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Hi,
I found a couple of bugs in ffingerd 1.19 which are related to
privacy.
Here goes:
The permission on root's home directory are now 700 (/home/root).
-----
(aristo)/cc/eilon>finger root@host.domain
[host.domain]
Login: root Name: #6
No project.
No plan.
No public key.
-----
A lesson in how not to be seen. On host.domain, the user doesn't want
to be seen (please stand up :)). Too bad, his/her home directory's
permissions (which says 'I want some privacy') makes ffingerd state
otherwise. Ffingerd looks for the file .nofinger in the user's home
directory but due to the current state of permissions on it, it can't
be accessed thus "there is no such file" and there for is happy to
supply us with the user's information.
-----
# cd ~root
# ls -l .nofinger
-rw-r--r-- 1 root system 0 Apr 23 18:01 .nofinger
# ls -ld .
drwx------ 5 root system 512 Apr 23 18:01 .
# chmod 755 .
-----
Now lets try again.
-----
(aristo)/cc/eilon>finger root@host.domain
[host.domain]
That user does not want to be fingered
-----
Hmmm, now for an unknown user.
-----
(aristo)/cc/eilon>finger root1@host.domain
[host.domain]
That user does not want to be fingered.
-----
Oops. Notice the dot ('.') at the end of the sentence. A very simple
and efficient way to find whether the user exists on the remote host
or not (taking into account the fact that ffingerd has been installed
on the remote host).
Attached here a patch to fix those problems.
--=20
Eilon Gishri eilon@aristo.tau.ac.il
Security Consultant Office: +972-3-6406723
Israel Inter University Computation Center Fax: +972-3-6409118
/* On a matter of national security */ Home: +972-3-5078671
--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="ffingerd-1.19.patch"
--- ffingerd.c.old Thu Feb 18 12:50:36 1999
+++ ffingerd.c Fri Apr 23 18:48:54 1999
@@ -134,7 +134,7 @@
setgid(pwd->pw_gid);
setuid(pwd->pw_uid);
sprintf(filename,"%.200s/.nofinger",pwd->pw_dir);
- if (lstat(filename,&stat_buf)) {
+ if((lstat(filename,&stat_buf) == -1) && (errno == ENOENT)) {
#ifndef NO_SYSLOG
#ifdef FASCIST_LOGGING
char message[512];
@@ -154,7 +154,7 @@
dump_file(filename,"Public key:","No public key.");
} else {
char message[512];
- puts("That user does not want to be fingered");
+ puts("That user does not want to be fingered.");
#ifndef NO_SYSLOG
sprintf(message,"attempt to finger \"%.200s\" from %.200s\n",pwd->pw_name,remote);
syslog(LOG_FACILITY,"%s",message);
--G4iJoqBmSsgzjUCe--
--b5gNqxB1S1yM7hjW
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
iQCVAwUBNyCfIvVKfLHHWKDtAQHExgP/RGQeg1byBqGTRlQzOUeKfDrPSteHjzNh
J2uGXE3Q7+i38HwuAfswSsF6VZgxCYDh527mJdWS10I+FZqnlpP19Oj5e3G85KSJ
Q/iEKu4e2pPiA6Bqk7+41OXnehbDIzSeA13yTx3v16O6IYg+qbWm3lvw9zW+4rG1
XQ/KP66UFwA=
=FSNu
-----END PGP SIGNATURE-----
--b5gNqxB1S1yM7hjW--
