Date: Fri, 23 Apr 1999 19:26:13 +0300 From: Eilon Gishri To: BUGTRAQ@netspace.org Subject: Ffingerd privacy issues Hi, I found a couple of bugs in ffingerd 1.19 which are related to privacy. Here goes: The permission on root's home directory are now 700 (/home/root). ----- (aristo)/cc/eilon>finger root@host.domain [host.domain] Login: root Name: #6 No project. No plan. No public key. ----- A lesson in how not to be seen. On host.domain, the user doesn't want to be seen (please stand up :)). Too bad, his/her home directory's permissions (which says 'I want some privacy') makes ffingerd state otherwise. Ffingerd looks for the file .nofinger in the user's home directory but due to the current state of permissions on it, it can't be accessed thus "there is no such file" and there for is happy to supply us with the user's information. ----- # cd ~root # ls -l .nofinger -rw-r--r-- 1 root system 0 Apr 23 18:01 .nofinger # ls -ld . drwx------ 5 root system 512 Apr 23 18:01 . # chmod 755 . ----- Now lets try again. ----- (aristo)/cc/eilon>finger root@host.domain [host.domain] That user does not want to be fingered ----- Hmmm, now for an unknown user. ----- (aristo)/cc/eilon>finger root1@host.domain [host.domain] That user does not want to be fingered. ----- Oops. Notice the dot ('.') at the end of the sentence. A very simple and efficient way to find whether the user exists on the remote host or not (taking into account the fact that ffingerd has been installed on the remote host). Attached here a patch to fix those problems. -- Eilon Gishri eilon@aristo.tau.ac.il Security Consultant Office: +972-3-6406723 Israel Inter University Computation Center Fax: +972-3-6409118 /* On a matter of national security */ Home: +972-3-5078671 [ Part 1.2, Text/PLAIN 20 lines. ] --- ffingerd.c.old Thu Feb 18 12:50:36 1999 +++ ffingerd.c Fri Apr 23 18:48:54 1999 @@ -134,7 +134,7 @@ setgid(pwd->pw_gid); setuid(pwd->pw_uid); sprintf(filename,"%.200s/.nofinger",pwd->pw_dir); - if (lstat(filename,&stat_buf)) { + if((lstat(filename,&stat_buf) == -1) && (errno == ENOENT)) { #ifndef NO_SYSLOG #ifdef FASCIST_LOGGING char message[512]; @@ -154,7 +154,7 @@ dump_file(filename,"Public key:","No public key."); } else { char message[512]; - puts("That user does not want to be fingered"); + puts("That user does not want to be fingered."); #ifndef NO_SYSLOG sprintf(message,"attempt to finger \"%.200s\" from %.200s\n",pwd->pw_name,remote); syslog(LOG_FACILITY,"%s",message); ------------------------------------------------------------------------------ Date: Fri, 23 Apr 1999 19:43:33 +0200 From: Felix von Leitner To: BUGTRAQ@netspace.org Subject: Re: Ffingerd privacy issues Thus spake Eilon Gishri (eilon@aristo.tau.ac.il): > I found a couple of bugs in ffingerd 1.19 which are related to > privacy. OK. I would be happy if you email me (the author) first before publishing this on bugtraq. Next time, maybe. [ffingerd assumes the user wants to be fingered if his home does not give public execute access] This is documented in ffingerd. If you want ffingerd to look into protected homes, run it as root. > ----- > (aristo)/cc/eilon>finger root@host.domain > [host.domain] > That user does not want to be fingered > ----- > Hmmm, now for an unknown user. > ----- > (aristo)/cc/eilon>finger root1@host.domain > [host.domain] > That user does not want to be fingered. > ----- > Oops. Notice the dot ('.') at the end of the sentence. A very simple > and efficient way to find whether the user exists on the remote host > or not (taking into account the fact that ffingerd has been installed > on the remote host). This has been pointed out to me yesterday. I fixed it today (before I saw this message, by the way), and announced version 1.20 on Freshmeat pointing out this fixed problem. Did you see my announcement and then posted to bugtraq? > --- ffingerd.c.old Thu Feb 18 12:50:36 1999 > +++ ffingerd.c Fri Apr 23 18:48:54 1999 > @@ -134,7 +134,7 @@ > setgid(pwd->pw_gid); > setuid(pwd->pw_uid); > sprintf(filename,"%.200s/.nofinger",pwd->pw_dir); > - if (lstat(filename,&stat_buf)) { > + if((lstat(filename,&stat_buf) == -1) && (errno == ENOENT)) { > #ifndef NO_SYSLOG > #ifdef FASCIST_LOGGING > char message[512]; This is debatable. If a user wants privacy, he should remove the world readable permission, not the world executable permission. I will not add this right now but think it over. If anyone wants to comment on the way to go here, feel free to email me. I would prefer discussion this in private email than on bugtraq, but if you must, I will also read bugtraq comments. > @@ -154,7 +154,7 @@ > dump_file(filename,"Public key:","No public key."); > } else { > char message[512]; > - puts("That user does not want to be fingered"); > + puts("That user does not want to be fingered."); > #ifndef NO_SYSLOG > sprintf(message,"attempt to finger \"%.200s\" from %.200s\n",pwd->pw_name,remote); > syslog(LOG_FACILITY,"%s",message); This has already been fixed. Felix ------------------------------------------------------------------------------ Date: Fri, 23 Apr 1999 22:00:08 +0300 From: Eilon Gishri To: BUGTRAQ@netspace.org Subject: Re: Ffingerd privacy issues On Fri, Apr 23, 1999 at 07:43:33PM +0200, Felix von Leitner wrote: > Thus spake Eilon Gishri (eilon@aristo.tau.ac.il): > > I found a couple of bugs in ffingerd 1.19 which are related to > > privacy. > > OK. I would be happy if you email me (the author) first before > publishing this on bugtraq. Next time, maybe. I've e-mailed you and Cc-ed BugTraq. As my email includes a fix (A very complicated one I must say :)) I also notified the list. I'm not sure I would have done the same if I couldn't fix it myself. > [ffingerd assumes the user wants to be fingered if his home does not > give public execute access] Huh, It's opened if it's closed ? > This is documented in ffingerd. If you want ffingerd to look into > protected homes, run it as root. I want the machine itself to be protected and not only the users home directory. I consider it a feature when I don't have to run fingerd as root. Please don't consider it as a flame, I do like this utility and am using it. > > ----- > > (aristo)/cc/eilon>finger root@host.domain > > [host.domain] > > That user does not want to be fingered > > ----- > > > Hmmm, now for an unknown user. > > > ----- > > (aristo)/cc/eilon>finger root1@host.domain > > [host.domain] > > That user does not want to be fingered. > > ----- > > > Oops. Notice the dot ('.') at the end of the sentence. A very simple > > and efficient way to find whether the user exists on the remote host > > or not (taking into account the fact that ffingerd has been installed > > on the remote host). > > This has been pointed out to me yesterday. I fixed it today (before I > saw this message, by the way), and announced version 1.20 on Freshmeat > pointing out this fixed problem. Did you see my announcement and then > posted to bugtraq? Nope. I was playing with it on a machine which I would like to see all fingers which are done to it without giving away any "free" information > This is debatable. > If a user wants privacy, he should remove the world readable permission, > not the world executable permission. I disagree. > I will not add this right now but think it over. If anyone wants to > comment on the way to go here, feel free to email me. I would prefer > discussion this in private email than on bugtraq, but if you must, I > will also read bugtraq comments. -- Eilon Gishri eilon@aristo.tau.ac.il Security Consultant Office: +972-3-6406723 Israel Inter University Computation Center Fax: +972-3-6409118 /* On a matter of national security */ Home: +972-3-5078671 ------------------------------------------------------------------------------ Date: Fri, 23 Apr 1999 15:46:59 -0500 From: Dagmar d'Surreal To: BUGTRAQ@netspace.org Subject: Re: Ffingerd privacy issues Parts/Attachments: 1 Shown 36 lines Text 2 OK 1.4 KB Application, "" ---------------------------------------- As to the matter of the home directories being world-readable/executeable... Having the finger daemon assume that there is no .nofinger file because the home directory in question is not readable, but still executeable, breaks a few things. On multi-user machines, some users will be extremely paranoid, and will not wish to use anything BUT mode 700, because having the directory world-executeable will allow other users on the system to detect the presence of certain files in their directory (like .rhosts, .forward, .promcail, .pinerc) that may allow them to launch attacks at that particular user, knowing that there's a good chance that the user uses a vulnerable package, and quite possibly even the last time they used it depending on the file. After seeing the post on freshmeat, it occurred to me that I had forgotten to email Felix the patch for 1.18 that took care of the punctuation as well as a few other issues, and I now notice that I sent him the wrong version of the patch this morning anyway. (A version which did not have the directory mode issue fixed, but at least my binary has been working all this time thankfully.) Eilon Gishri dealt with it a lot more elegantly than I did anyway. ;) Attached is a patch which applies to the 1.20 version of Fefe's Finger Daemon, which includes both Eilon Gishri's patches to deal with paranoid users whose home directories are mode 700 (the punctuation problem had already been fixed in 1.20), and my misdirection patches that add the .fakefinger (lets users controly exactly what will be returned when they are fingered) file use, and the /etc/ffingerd.empty and /etc/ffingerd.indirect files which allow a sysadmin to change what kind of message is sent to people when they try indirect or empty finger queries without having to edit the source and recompile the daemon. ---------- Unsolicited commercial email sent to this address will be forwarded to uce@ftc.gov, or responded to late in the evening after I've been clubbing long enough to be fairly drunk, and at least twice as verbally abusive.