[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : fingerd allows remote reading of filesystem

Title: fingerd allows remote reading of filesystem
Released by: FreeBSD
Date: 13th October 2000
Printable version: Click here


FreeBSD-SA-00:54                                           Security Advisory

                                                                FreeBSD, Inc.

Topic:          fingerd allows remote reading of filesystem

Category:       core

Module:         fingerd

Announced:      2000-10-13

Credits:        NIIMI Satoshi 

Affects:        FreeBSD 4.1.1-RELEASE

Corrected:      2000-10-05 (4.1.1-STABLE)

FreeBSD only:   Yes

I.   Background

The finger service is used to provide information about users on the

system to remote clients.

II.  Problem Description

Shortly before the release of FreeBSD 4.1.1, code was added to

finger(1) intended to allow the utility to send the contents of

administrator-specified files in response to a finger request. However

the code incorrectly allowed users to specify a filename directly, the

contents of which would be returned to the user.

The finger daemon usually runs as user 'nobody' and invokes the

finger(1) command in response to a remote request, meaning it does not

have access to privileged files on the system (such as the hashed

password file /etc/master.passwd), however the vulnerability may be

used to read arbitrary files to which the 'nobody' user has read

permission. This may disclose internal information including

information which may be used to mount further attacks against the


Note that servers running web and other services often incorrectly run

these as the 'nobody' user, meaning this vulnerability may be used to

read internal web server data such as web server password files, the

source code to cgi-bin scripts, etc.

FreeBSD 4.1-RELEASE, 4.0-RELEASE, 3.5.1-RELEASE and FreeBSD 4.1-STABLE

systems dated before 2000-09-01 or after 2000-10-05 are unaffected by

this vulnerability.

III. Impact

Remote users can obtain read access (as the 'nobody' user) to large

parts of the local filesystem on systems running a vulnerable

fingerd. This may disclose confidential information and may facilitate

further attacks on the system.

IV.  Workaround

Disable the finger protocol in /etc/inetd.conf: make sure the

/etc/inetd.conf file does not contain the following entry

uncommented (i.e. if present in the inetd.conf file it should be

commented out as shown below:)

#finger  stream  tcp     nowait/3/10 nobody /usr/libexec/fingerd fingerd -s

On IPv6-connected systems, be sure to disable the IPv6 instance of the

finger daemon as well:

#finger stream  tcp6    nowait/3/10 nobody /usr/libexec/fingerd fingerd -s

V.   Solution

One of the following:

1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE dated after

the correction date.

2) Apply the patch below and rebuild your fingerd binary.

Either save this advisory to a file, or download the patch and

detached PGP signature from the following locations, and verify the

signature using your PGP utility.



# cd /usr/src/usr.bin/finger

# patch -p < /path/to/patch_or_advisory

# make all install

# cd /usr/src/libexec/fingerd

# make all install

Patch for vulnerable 4.1.x systems:

    Index: finger.c


    RCS file: /home/ncvs/src/usr.bin/finger/finger.c,v

    retrieving revision

    retrieving revision 1.21

    diff -u -r1.15.2.3 -r1.21

    --- finger.c 2000/09/15 21:51:00

    +++ finger.c 2000/10/05 15:56:13 1.21

    @@ -293,6 +293,16 @@

     goto net;


    + * Mark any arguments beginning with '/' as invalid so that we

    + * don't accidently confuse them with expansions from finger.conf

    + */

    + for (p = argv, ip = used; *p; ++p, ++ip)

    +     if (**p == '/') {

    + *ip = 1;

    + warnx("%s: no such user", *p);

    +     }


    + /*

     * Traverse the finger alias configuration file of the form

     * alias:(user|alias), ignoring comment lines beginning '#'.


    @@ -323,11 +333,11 @@

     * gathering the traditional finger information.


     if (mflag)

    - for (p = argv; *p; ++p) {

    - if (**p != '/' || !show_text("", *p, "")) {

    + for (p = argv, ip = used; *p; ++p, ++ip) {

    + if (**p != '/' || *ip == 1 || !show_text("", *p, "")) {

     if (((pw = getpwnam(*p)) != NULL) && !hide(pw))


    -    else

    + else if (!*ip)

     warnx("%s: no such user", *p);




Version: 2.6.2







(C) 1999-2000 All rights reserved.