[linux-security] Finger Doubt (fwd)

Jan John jr. johnjr na bobr.fjfi.cvut.cz
Čtvrtek Září 19 14:06:35 CEST 1996

Tady Vam posilam takovou zajimavost, docela mne to nastvalo, Ja pouzivat 
cfingerd a opravdu jsem si dokazal pomoci 1 prikazu a 2x fingrovani na 
vlastni system znicit adresar /bin :))))).


Howdy people!

On Tue, 17 Sep 1996, Administrador da Rede wrote:
> I use the newest version of cfinger, setted to not allow general finger, just
> specific ones. Does anyone knows how this person did that ? I hope I can
> find out, otherwise, bye bye finger service.


I have sent the author a letter, but never got any reply back (it's 3
months later now!), so I just take the opportunity to warn the public
against its use.

Excerpts from the source (1.2.3, older versions have been a bit more
directly broken, now it has root privs only at the moments it shouldn't

	"This daemon must be run as root!"

[And unfortunately, does..]

	unlink ("/tmp/fslist");
        sprintf(st, "%s | tail +2 >> /tmp/fslist",

A similarly terrible one some lines later:

	system("cat /tmp/fslist | sort > /tmp/fslist.sort");

As it stands, it can allow any local user to destroy any file on the
system, including partition tables on disks.  Please someone correct me if
I am wrong, I tried this with cfingerd-1.2.2 and it allowed me to do bad

I was a bit disappointed by the lack of any reply from the author, so I
think I am now justified to tell that

if anyone installed cfingerd (about 1.1 or later) on his system, disable
it IMMEDIATELY, until at least the author clarifies this bug in a new
version.  The current version is BAD.

However if you just need a finger daemon, you may take a look at xfingerd,
which is the one I wrote when I got desperate about cfingerd. (If you take
a look at its date stamp, you can see that cfingerd is long broken..)  I
too can't garantee that it's good for you, but it at least doesn't require
to be run as root, which is why I started being against cfingerd.

I hope this note finds everyone concerned.




Další informace o konferenci Linux