[20779] in bugtraq
Re: in.fingerd follows sym-links on Solaris 8
daemon@ATHENA.MIT.EDU (J. Bol)
Mon May 28 14:22:12 2001
Message-ID: <3B124B44.B3F944CE@itsec.nl>
Date: Mon, 28 May 2001 14:57:40 +0200
From: "J. Bol" <j.bol@itsec.nl>
MIME-Version: 1.0
To: Lukasz Luzar <lluzar@developers.of.pl>
Cc: bugtraq@securityfocus.com
Content-Type: multipart/mixed;
boundary="------------6AD6DD85F7B6A29F23CD3A9C"
--------------6AD6DD85F7B6A29F23CD3A9C
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
On a Solaris 8, i386 machine, I did the following:
$ ls -al
drwxr-xr-x 4 j other 512 May 28, 14:12 .
drwxr-xr-x 5 root root 512 May 28, 14:10 ..
lrwxrwxrwx 1 j other 6 May 28, 14:12 .plan -> myplan
-rw------- 1 nobody nobody 17 May 28, 14:12 myplan
$ finger -l j@localhost
[localhost]
Login name: j
Directory name: /export/home/j Shell: /bin/sh
Last login Mon May 28, 14:12 on console from :0
No unread mail.
No plan.
After I changed the mod of myplan to world-readable, finger gave me
$ finger -l j@localhost
[localhost]
Login name: j
Directory name: /export/home/j Shell: /bin/sh
Last login Mon May 28, 14:12 on console from :0
No unread mail.
Plan:
This is my plan.
So I'd say in.fingerd is not vulnerable for the symlink attack you
describe.
J. Bol
Lukasz Luzar wrote:
> Hello,
>
> Ok, the example wasn't good.
> It was a long day for me, thus, please forgive me that slip-up.
>
> The sym-links attack is very useful when you want to read
> files that are readable only by unprivileged user.
>
> On example, many httpd servers works with the same privilages,
> it means that you can read any CGI temporary file, and other
> files readable only by CGI scripts.
>
> I think about a case where a CGI script saves some important
> information in a temporary file, like PHP do with the sessions:
>
> -rw------- 1 nobody nobody 329 May 14 12:16 /tmp/sess_0cd156a633
>
> When you have installed in.fingerd, and the in.fingerd is vulnerable,
> all local users are able to read the information from the files.
>
> There are few other examples.
>
> --
> Lukasz Luzar
> http://Developers.of.PL/
> Crede quod habes, et habes
--------------6AD6DD85F7B6A29F23CD3A9C--
