[14719] in bugtraq
Re: fingerd
daemon@ATHENA.MIT.EDU (Jeremy Rauch)
Fri Apr 28 18:59:07 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000427153506.A24647@securityfocus.com>
Date: Thu, 27 Apr 2000 15:35:06 -0700
Reply-To: Jeremy Rauch <jrauch@SECURITYFOCUS.COM>
From: Jeremy Rauch <jrauch@SECURITYFOCUS.COM>
X-To: Psarras Nikos <psarnik@IT.TEITHE.GR>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.SGI.4.05.10004271354520.14265-100000@aetos.it.teithe.gr>;
from psarnik@IT.TEITHE.GR on Thu, Apr 27, 2000 at 02:06:06PM +0300
On Thu, Apr 27, 2000 at 02:06:06PM +0300, Psarras Nikos wrote:
> I am new on the list so i dont know if you knew that.
>
> On Irix 6.4 with all patches installed the fingerd seems to like to
> display the shadow file to all users.
>
> >ln -s /etc/shadow /path/user/.plan
> >finger user@irix64.show.shadow
>
>
> This feature was found by a student -Zanikolas Serafim- while he was
> reading a 9 years old system administrator's book.
I find this very very hard to believe. 6.5 and 6.2 are not vulnerable.
Both run fingerd as 'guest'
finger stream tcp nowait guest /usr/etc/fingerd fingerd
making it impossible for finger to return the shadow. Unless someone
at SGI went and changed fingerd to run as root for the 6.4 release, and
fixed it for 6.5, something is amiss here. 6.4 isn't a release I've been
able to find someone running, however...
Have you checked the permissions on /etc/shadow?
-Jeremy
