dave@boingo.med.jhu.edu (David Heath) (08/25/90)
Recently, I wrote a program that creates a named pipe $HOME/.plan and writes various plans to it when I am fingered. This program was written under ultrix. My sysadm asked me about it (and how to use named pipes in general) a couple of weeks later, so I sent him the source and explained how it worked. The next day, I got a message that said, in part, "As I'm sure you have surmised, you have discovered a MAJOR security hole." After talking with him about it, I realized that he did not understand how the program worked. I tried again to explain it, and told him I was convinced that it was not a security hole. Nevertheless, he modified the finger program to ignore .plan and .project when they were special files. I would be tempted to dismiss his attitude as paranoia, but he pointed out that in ultrix 4.0, the supplied finger has the same behavior (i.e., ignores special files). So, what I'm wondering is: "Is this really a security hole?" Thanks, -- dave heath heath@crabcake.cs.jhu.edu
brnstnd@kramden.acf.nyu.edu (Dan Bernstein) (08/25/90)
In article <1990Aug24.224727.26823@boingo.med.jhu.edu> dave@boingo.med.jhu.edu (David Heath) writes: [ made named pipe ~/.plan, had finger daemon writing plans to it ] [ sysadmin asked about it ] > so I sent him the > source and explained how it worked. The next day, I got a message that > said, in part, "As I'm sure you have surmised, you have discovered a MAJOR > security hole." [ said no, but sysadmin modified finger anyway to ignore special files ] [ ultrix 4.0's finger also ignores special .plan and .project ] > "Is this really a security hole?" No. There are three problems with finger that can lead to security holes: 1. Many versions of finger don't convert control characters to printable forms. This is the client's responsibility in case of a network finger. Anyway, .plan and .project can contain dangerous control sequences. 2. There is no easy way for a sysadmin or user to restrict the flow of information to the network. See, e.g., some of Steve Bellovin's articles for clear explanations of why this is a problem. 3. The network finger daemon is not careful to flush output before reading .plan and .project. Hence a user can stop all finger information from going to the outside by setting up ~/.plan as a named pipe without a writer. Note: As long as #2 is not corrected, this is a feature, not a bug! The minor inconvenience of hanging fingerd is irrelevant compared to the dangers of releasing too much information. ---Dan
maart@cs.vu.nl (Maarten Litmaath) (08/27/90)
In article <1990Aug24.224727.26823@boingo.med.jhu.edu>, dave@boingo.med.jhu.edu (David Heath) writes: )..., he modified )the finger program to ignore .plan and .project when they were special )files. He forgot to deal with normal files. The real bug is fingerd running as root: root can open any (local) file... (Think about it!) -- "What is a rabbit? A particle that makes special tracks in the snow!" (Paul M. Koloc)
brnstnd@kramden.acf.nyu.edu (Dan Bernstein) (08/28/90)
In article <7391@star.cs.vu.nl> maart@cs.vu.nl (Maarten Litmaath) writes: > The real bug is fingerd running as > root: root can open any (local) file... (Think about it!) Of course, this is only a problem when the cracker has a local account. This is one reason why fingerd runs as ``nobody'' (or a similarly restricted user) under current systems. The servers provided with authutil do this correctly. ---Dan
davidb@Pacer.UUCP (David Barts) (08/29/90)
In article <7391@star.cs.vu.nl>, maart@cs.vu.nl (Maarten Litmaath) writes: > He forgot to deal with normal files. The real bug is fingerd running as > root: root can open any (local) file... (Think about it!) And how about a nice symbolic link to /etc/passwd? -- David Barts Pacer Corporation, Bothell, WA davidb@pacer.uucp ...!uunet!pilchuck!pacer!davidb
louie@sayshell.umd.edu (Louis A. Mamakos) (08/29/90)
In article <361@pacer.UUCP> davidb@Pacer.UUCP (David Barts) writes: >In article <7391@star.cs.vu.nl>, maart@cs.vu.nl (Maarten Litmaath) writes: >> He forgot to deal with normal files. The real bug is fingerd running as >> root: root can open any (local) file... (Think about it!) > >And how about a nice symbolic link to /etc/passwd? It seems that the only way that the .plan file could be a symbolic is if that user made is such. He could have just as easily copied /etc/passwd into his .plan file and saved the trouble of following the symbolic link. If you can't trust your users from giving away the farm, they you've got other problems. You'll likely want to think about shadow password files under those circumstances. Fingerd only runs as `root' on brain-damaged operating systems. Grab the 4.3BSD inetd (and cron, for that matter) which allow you to specify the user that the daemons will be run as. We beat up on DEC frequently about this (every Ultrix field test), and somehow it seems impossible to convince them that this is a good idea and a `feature.' louie
rosen@solbourne.samsung.com (MFHorn) (08/30/90)
In article <1990Aug28.214615.4265@ni.umd.edu> louie@sayshell.umd.edu (Louis A. Mamakos) writes: > Fingerd only runs as `root' on brain-damaged operating systems. If finger doesn't run as root, ~/.plan has to be world-readable, and ~/ has to be at least world-executable [comments on NFS brain damage omitted]. Some users may want to be more secure than this. Others may not know it needs to be like that and will wonder why nobody can see their plan or project. In the past (and probably on many systems today), finger ran as root because of this. The problem is that it did (does) not make sure .plan and .project are regular files (only) and are owned by the user being fingered. If you've got a broken finger (heh heh), it would be better to fix it and let it run as root (IMO). -- Andy Rosen | rosen@samsung.com | "I got this guitar Samsung Software America | ...!uunet!samsung!rosen | and I learned how One Corporate Drive | (508) 685-7200 | to make it talk" Andover, MA 01810 | | -Thunder Road
irick@ecn.purdue.edu (GarBear Irick) (08/30/90)
Along these lines, I noticed a STRANGE thing today: ln -s /dev/tty .plan When I finger myself (OUCH!), it echoes back from stdin. If someone ELSE fingers me from the same host, it just kinda hangs until they <CTRL>-<C> out of it. Not sure what it does from remote sites....(telnet HOST 79 from here results in: No Plan.) Kind of a nice hack to annoy people who finger you, and kinda weird... If fingerd runs as root, does this mean that I should, in theory, be able to ln -s /dev/CONSOLE!!! .plan and have at it?? If so, isn't this BAD? :9 Do all fingers run like this, or is it just 4.3BSD, or just a Purdue-ism? Just curious.... -- Gary A. Irick, Purdue University | INTERNET: irick@en.ecn.purdue.edu | UUCP: ...!pur-ee!irick |