On Mon, 19 Mar 2001, Jens Hektor wrote:

>Hi,
>
>recently found on a compromised host somewhere a script containing the
>following very interesting line was found:
>
> finger "0 1 2 3 4 5 6 7 8 9"host
>
>If "host" is a Solaris host with finger service enabled in /etc/inetd.conf,
>one will get a complete (?) list of accounts on this system.

That's one WEIRD parse. [0-9] should not return true for "sam". I'd
suggest that the actual thing is that the kiddie (or one of their friends)
has a penchant for r00t users with numerical usernames to "hide". Numeric
usernames are also common in FTP: perhaps they were looking for a ftpd
'sploit?

>Workaround: disable finger service in /etc/inetd.conf

More Urgent workaround: disable all accounts you can't attach to a daemon
or person, or at least give them a shell of /bin/false.

>For this is already found in the wild and there seems to be no patch for
>this undocumented feature the vuln-dev list of security focus is included.

If it does as you say, it's documented in the protocol. RFC 1288 section
3.2.6.

3.2.6. {U} ambiguity
   Be aware that a malicious user's clever and/or persistent use of this
   feature can result in a list of most of the usernames on a system.
   Refusal of {U} ambiguity should be considered in the same vein as
   refusal of {C} requests (see section 3.2.2).

>Best regards, Jens Hektor
>
>--
>Jens Hektor, RWTH Aachen, Rechenzentrum, Seffenter Weg 23, 52074 Aachen
>Computing Center Technical University Aachen, firewalls/network security
>mailto:hektorRZ.RWTH-Aachen.DE, Tel.: +49 241 80 4866, Raum: 2.35
>Private: Rochusstr. 26, D52062 Aachen, Fon: +49 241 29888, Fax: % 29889
>

--
EMACS == Eight Megabytes And Constantly Swapping
Who is John Galt?  galtinconnu.isu.edu, that's who!

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]