1 files changed, 142 insertions, 0 deletions

diff --git a/share/security/advisories/FreeBSD-SA-00:54.fingerd.asc b/share/security/advisories/FreeBSD-SA-00:54.fingerd.asc
new file mode 100644
index 0000000000..5f9819345c
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-00:54.fingerd.asc
@@ -0,0 +1,142 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+
+=============================================================================
+FreeBSD-SA-00:54                                           Security Advisory
+                                                                FreeBSD, Inc.
+
+Topic:          fingerd allows remote reading of filesystem
+
+Category:       core
+Module:         fingerd
+Announced:      2000-10-13
+Credits:        NIIMI Satoshi <sa2c@and.or.jp>
+Affects:        FreeBSD 4.1.1-RELEASE
+Corrected:      2000-10-05 (4.1.1-STABLE)
+FreeBSD only:   Yes
+
+I.   Background
+
+The finger service is used to provide information about users on the
+system to remote clients.
+
+II.  Problem Description
+
+Shortly before the release of FreeBSD 4.1.1, code was added to
+finger(1) intended to allow the utility to send the contents of
+administrator-specified files in response to a finger request. However
+the code incorrectly allowed users to specify a filename directly, the
+contents of which would be returned to the user.
+
+The finger daemon usually runs as user 'nobody' and invokes the
+finger(1) command in response to a remote request, meaning it does not
+have access to privileged files on the system (such as the hashed
+password file /etc/master.passwd), however the vulnerability may be
+used to read arbitrary files to which the 'nobody' user has read
+permission. This may disclose internal information including
+information which may be used to mount further attacks against the
+system.
+
+Note that servers running web and other services often incorrectly run
+these as the 'nobody' user, meaning this vulnerability may be used to
+read internal web server data such as web server password files, the
+source code to cgi-bin scripts, etc.
+
+FreeBSD 4.1-RELEASE, 4.0-RELEASE, 3.5.1-RELEASE and FreeBSD 4.1-STABLE
+systems dated before 2000-09-01 or after 2000-10-05 are unaffected by
+this vulnerability.
+
+III. Impact
+
+Remote users can obtain read access (as the 'nobody' user) to large
+parts of the local filesystem on systems running a vulnerable
+fingerd. This may disclose confidential information and may facilitate
+further attacks on the system.
+
+IV.  Workaround
+
+Disable the finger protocol in /etc/inetd.conf: make sure the
+/etc/inetd.conf file does not contain the following entry
+uncommented (i.e. if present in the inetd.conf file it should be
+commented out as shown below:)
+
+#finger  stream  tcp     nowait/3/10 nobody /usr/libexec/fingerd fingerd -s
+
+On IPv6-connected systems, be sure to disable the IPv6 instance of the
+finger daemon as well:
+
+#finger stream  tcp6    nowait/3/10 nobody /usr/libexec/fingerd fingerd -s
+
+V.   Solution
+
+One of the following:
+
+1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE dated after
+the correction date.
+
+2) Apply the patch below and rebuild your fingerd binary.
+
+Either save this advisory to a file, or download the patch and
+detached PGP signature from the following locations, and verify the
+signature using your PGP utility.
+
+ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:54/fingerd.patch
+ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:54/fingerd.patch.asc
+
+# cd /usr/src/usr.bin/finger
+# patch -p < /path/to/patch_or_advisory
+# make all install
+# cd /usr/src/libexec/fingerd
+# make all install
+
+Patch for vulnerable 4.1.x systems:
+
+    Index: finger.c
+    ===================================================================
+    RCS file: /home/ncvs/src/usr.bin/finger/finger.c,v
+    retrieving revision 1.15.2.3
+    retrieving revision 1.21
+    diff -u -r1.15.2.3 -r1.21
+    --- finger.c	2000/09/15 21:51:00	1.15.2.3
+    +++ finger.c	2000/10/05 15:56:13	1.21
+    @@ -293,6 +293,16 @@
+     		goto net;
+     
+     	/*
+    +	 * Mark any arguments beginning with '/' as invalid so that we 
+    +	 * don't accidently confuse them with expansions from finger.conf
+    +	 */
+    +	for (p = argv, ip = used; *p; ++p, ++ip)
+    +	    if (**p == '/') {
+    +		*ip = 1;
+    +		warnx("%s: no such user", *p);
+    +	    }
+    +
+    +	/*
+     	 * Traverse the finger alias configuration file of the form
+     	 * alias:(user|alias), ignoring comment lines beginning '#'.
+     	 */
+    @@ -323,11 +333,11 @@
+     	 * gathering the traditional finger information.
+     	 */
+     	if (mflag)
+    -		for (p = argv; *p; ++p) {
+    -			if (**p != '/' || !show_text("", *p, "")) {
+    +		for (p = argv, ip = used; *p; ++p, ++ip) {
+    +			if (**p != '/' || *ip == 1 || !show_text("", *p, "")) {
+     				if (((pw = getpwnam(*p)) != NULL) && !hide(pw))
+     					enter_person(pw);
+    -			   	else
+    +				else if (!*ip)
+     					warnx("%s: no such user", *p);
+     			}
+     		}
+
+-----BEGIN PGP SIGNATURE-----
+Version: 2.6.2
+
+iQCVAwUBOebB4FUuHi5z0oilAQEE1AP+I7zDBn5TagYJEELea7ltGkNZ5h3nZi5E
+FwxqYekriycAzOqctwzu7lO2AO7KoPTzAfu4OCd+s+ijK+zpXkt+eOAttbhPwENJ
+RMAJPwcGr139mIT2ofuEUhtE9NZ66gg7WNh+8ixjtovKbZl1W/slX+wOqlaCcbLm
+U4t3bj6bx5M=
+=fg83
+-----END PGP SIGNATURE-----