diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-00:54.fingerd.asc')
-rw-r--r-- | share/security/advisories/FreeBSD-SA-00:54.fingerd.asc | 142 |
1 files changed, 142 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-SA-00:54.fingerd.asc b/share/security/advisories/FreeBSD-SA-00:54.fingerd.asc new file mode 100644 index 0000000000..5f9819345c --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-00:54.fingerd.asc @@ -0,0 +1,142 @@ +-----BEGIN PGP SIGNED MESSAGE----- + +============================================================================= +FreeBSD-SA-00:54 Security Advisory + FreeBSD, Inc. + +Topic: fingerd allows remote reading of filesystem + +Category: core +Module: fingerd +Announced: 2000-10-13 +Credits: NIIMI Satoshi <sa2c@and.or.jp> +Affects: FreeBSD 4.1.1-RELEASE +Corrected: 2000-10-05 (4.1.1-STABLE) +FreeBSD only: Yes + +I. Background + +The finger service is used to provide information about users on the +system to remote clients. + +II. Problem Description + +Shortly before the release of FreeBSD 4.1.1, code was added to +finger(1) intended to allow the utility to send the contents of +administrator-specified files in response to a finger request. However +the code incorrectly allowed users to specify a filename directly, the +contents of which would be returned to the user. + +The finger daemon usually runs as user 'nobody' and invokes the +finger(1) command in response to a remote request, meaning it does not +have access to privileged files on the system (such as the hashed +password file /etc/master.passwd), however the vulnerability may be +used to read arbitrary files to which the 'nobody' user has read +permission. This may disclose internal information including +information which may be used to mount further attacks against the +system. + +Note that servers running web and other services often incorrectly run +these as the 'nobody' user, meaning this vulnerability may be used to +read internal web server data such as web server password files, the +source code to cgi-bin scripts, etc. + +FreeBSD 4.1-RELEASE, 4.0-RELEASE, 3.5.1-RELEASE and FreeBSD 4.1-STABLE +systems dated before 2000-09-01 or after 2000-10-05 are unaffected by +this vulnerability. + +III. Impact + +Remote users can obtain read access (as the 'nobody' user) to large +parts of the local filesystem on systems running a vulnerable +fingerd. This may disclose confidential information and may facilitate +further attacks on the system. + +IV. Workaround + +Disable the finger protocol in /etc/inetd.conf: make sure the +/etc/inetd.conf file does not contain the following entry +uncommented (i.e. if present in the inetd.conf file it should be +commented out as shown below:) + +#finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s + +On IPv6-connected systems, be sure to disable the IPv6 instance of the +finger daemon as well: + +#finger stream tcp6 nowait/3/10 nobody /usr/libexec/fingerd fingerd -s + +V. Solution + +One of the following: + +1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE dated after +the correction date. + +2) Apply the patch below and rebuild your fingerd binary. + +Either save this advisory to a file, or download the patch and +detached PGP signature from the following locations, and verify the +signature using your PGP utility. + +ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:54/fingerd.patch +ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:54/fingerd.patch.asc + +# cd /usr/src/usr.bin/finger +# patch -p < /path/to/patch_or_advisory +# make all install +# cd /usr/src/libexec/fingerd +# make all install + +Patch for vulnerable 4.1.x systems: + + Index: finger.c + =================================================================== + RCS file: /home/ncvs/src/usr.bin/finger/finger.c,v + retrieving revision 1.15.2.3 + retrieving revision 1.21 + diff -u -r1.15.2.3 -r1.21 + --- finger.c 2000/09/15 21:51:00 1.15.2.3 + +++ finger.c 2000/10/05 15:56:13 1.21 + @@ -293,6 +293,16 @@ + goto net; + + /* + + * Mark any arguments beginning with '/' as invalid so that we + + * don't accidently confuse them with expansions from finger.conf + + */ + + for (p = argv, ip = used; *p; ++p, ++ip) + + if (**p == '/') { + + *ip = 1; + + warnx("%s: no such user", *p); + + } + + + + /* + * Traverse the finger alias configuration file of the form + * alias:(user|alias), ignoring comment lines beginning '#'. + */ + @@ -323,11 +333,11 @@ + * gathering the traditional finger information. + */ + if (mflag) + - for (p = argv; *p; ++p) { + - if (**p != '/' || !show_text("", *p, "")) { + + for (p = argv, ip = used; *p; ++p, ++ip) { + + if (**p != '/' || *ip == 1 || !show_text("", *p, "")) { + if (((pw = getpwnam(*p)) != NULL) && !hide(pw)) + enter_person(pw); + - else + + else if (!*ip) + warnx("%s: no such user", *p); + } + } + +-----BEGIN PGP SIGNATURE----- +Version: 2.6.2 + +iQCVAwUBOebB4FUuHi5z0oilAQEE1AP+I7zDBn5TagYJEELea7ltGkNZ5h3nZi5E +FwxqYekriycAzOqctwzu7lO2AO7KoPTzAfu4OCd+s+ijK+zpXkt+eOAttbhPwENJ +RMAJPwcGr139mIT2ofuEUhtE9NZ66gg7WNh+8ixjtovKbZl1W/slX+wOqlaCcbLm +U4t3bj6bx5M= +=fg83 +-----END PGP SIGNATURE----- |