COMMAND

    fingerd

SYSTEMS AFFECTED

    FreeBSD 4.1.1-RELEASE i386

PROBLEM

    Przemyslaw Frasunek found  following.  If  finger takes full  path
    name as user name, it prints  out contents of that file.   Because
    fingerd  executes  finger  as  local  information provider, finger
    /path/to/file@some.host prints /path/to/file at some.host.

        finger /path/to/file@some.host

    Shortly before  the release  of FreeBSD  4.1.1, code  was added to
    finger(1) intended to  allow the utility  to send the  contents of
    administrator-specified  files  in  response  to a finger request.
    However the code incorrectly  allowed users to specify  a filename
    directly, the contents of which would be returned to the user.

    The finger daemon  usually runs as  user 'nobody' and  invokes the
    finger(1)  command  in  response  to  a remote request, meaning it
    does not have  access to privileged  files on the  system (such as
    the  hashed   password  file   /etc/master.passwd),  however   the
    vulnerability may  be used  to read  arbitrary files  to which the
    'nobody' user  has read  permission.   This may  disclose internal
    information  including  information  which  may  be  used to mount
    further attacks against the system.

    Note that servers running web and other services often incorrectly
    run these as the 'nobody' user, meaning this vulnerability may  be
    used to read internal web server data such as web server  password
    files, the source code to cgi-bin scripts, etc.

SOLUTION

    Disable  the  finger  protocol  in  /etc/inetd.conf: make sure the
    /etc/inetd.conf  file  does  not   contain  the  following   entry
    uncommented (i.e. if present in  the inetd.conf file it should  be
    commented out as shown below):

        #finger  stream  tcp     nowait/3/10 nobody /usr/libexec/fingerd fingerd -s

    On IPv6-connected systems,  be sure to  disable the IPv6  instance
    of the finger daemon as well:

        #finger stream  tcp6    nowait/3/10 nobody /usr/libexec/fingerd fingerd -s

    Solution is one of the following:
    1) Upgrade  your vulnerable  FreeBSD system  to 4.1.1-STABLE dated
       after the correction date.
    2) Apply the patch below and rebuild your fingerd binary.

    Index: finger.c
    ===================================================================
    RCS file: /home/ncvs/src/usr.bin/finger/finger.c,v
    retrieving revision 1.15.2.3
    retrieving revision 1.21
    diff -u -r1.15.2.3 -r1.21
    --- finger.c	2000/09/15 21:51:00	1.15.2.3
    +++ finger.c	2000/10/05 15:56:13	1.21
    @@ -293,6 +293,16 @@
 		    goto net;
    
 	    /*
    +	 * Mark any arguments beginning with '/' as invalid so that we
    +	 * don't accidently confuse them with expansions from finger.conf
    +	 */
    +	for (p = argv, ip = used; *p; ++p, ++ip)
    +	    if (**p == '/') {
    +		*ip = 1;
    +		warnx("%s: no such user", *p);
    +	    }
    +
    +	/*
 	     * Traverse the finger alias configuration file of the form
 	     * alias:(user|alias), ignoring comment lines beginning '#'.
 	     */
    @@ -323,11 +333,11 @@
 	     * gathering the traditional finger information.
 	     */
 	    if (mflag)
    -		for (p = argv; *p; ++p) {
    -			if (**p != '/' || !show_text("", *p, "")) {
    +		for (p = argv, ip = used; *p; ++p, ++ip) {
    +			if (**p != '/' || *ip == 1 || !show_text("", *p, "")) {
 				    if (((pw = getpwnam(*p)) != NULL) && !hide(pw))
 					    enter_person(pw);
    -			   	else
    +				else if (!*ip)
 					    warnx("%s: no such user", *p);
 			    }
 		    }

    Problem persists only  in 4.x branch.   Of course, it  allows also
    to  traverse  directory  structures.   This  has been corrected in
    2000-10-05 (4.1.1-STABLE).

    FreeBSD  4.1-RELEASE,  4.0-RELEASE,   3.5.1-RELEASE  and   FreeBSD
    4.1-STABLE  systems  dated  before  2000-09-01 or after 2000-10-05
    are unaffected by this vulnerability.