Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Solaris finger bug

from [Jim Mellander] Network Security [Permanent Link]
Subject: Solaris finger bug
Date: Fri, 27 Jul 2007 11:17:39 -0700 
Hi all:

Recently, we monitored a cracker from Eastern Europe, who ran 'finger
9@host' against a Solaris 7 box, and got the following result:

Login          Name     TTY     Idle    When    Where
daemon          ???              < .  .  .  . >
bin             ???      pts/1   <Oct  2, 2002> xxx.lbl.gov
sys             ???                         < .  .  .  . >
account1        ???      pts/8    <Jul 20, 2000> yyy.lbl.gov
account2        ???      pts/5    <Dec 17, 1999> zzz.lbl.gov
account3        ???      pts/2    <Jun 30, 2000> aaa.lbl.gov
account4        ???      pts/1    <Feb 17, 2005> bbb.lbl.gov
account5        ???      pts/5    <May  6, 2005> ccc.lbl.gov
account6        ???      pts/9    <Mar  7 15:18> ddd.lbl.gov

This is on a Solaris 7 box with the latest recommended patch set.
This is not the same bug as described here:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1503

Below are snippets of Sun's response:

=========================================================
Sun> The issue you have seen regarding a single digit argument is different
Sun> as this form of ambiguous username returns user information for
accounts
Sun> on the system which meet one of the following criteria:
Sun>
Sun>     + an empty GECOS field
Sun>     + leading spaces in the GECOS field
Sun>     + trailing spaces in the GECOS field
Sun>     + a GECOS field with two adjacent spaces

Sun> This latter issue has been addressed in Solaris 10 and later at this
Sun> time under bugID 4432153.


Thanks for your response.  Do you intend to provide patches for older
OS's?


At this time there aren't any plans to address 4432153 in Solaris 8 or
9.  As you may know Solaris 7 is no longer supported.  If a service call
was raised with Sun then patches for Solaris 8 and 9 could be generated.


Under RFC 1288, it seems there should be a mechanism to disable such
behavior.  It certainly is nonintuitive to most folks that 'finger
9@host' will display accounts with the GECOS field as described.  I
would also note that other operating systems such as Linux and FreeBSD
exhibit the behavior that most folks would likely expect:

$ finger 9@localhost
finger: 9: no such user



There isn't a way to disable such behaviour as far as we can tell
despite the SHOULD in the RFC.  We agree the the behaviour of 'finger
9@host' returning information about accounts with "unusual" whitespace
in the GECOS field is non-intuitive and was also considered incorrect
which is why 4432153 was filed.

Hope this helps.
====================================================================

Does anyone know of other platforms which exhibit this odd behavior?

-- 
Jim Mellander
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 486-7204

The reason you are having computer problems is:

Lawn mower blade in your fan need sharpening
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer), Amit Klein
Next by Date:  Anti XSS AJAX, Fady Anwar
Previous by Thread:  [Full-disclosure] FLEA-2007-0035-1: libvorbis, Foresight Linux Essential Announcement Service
Next by Thread:  Re: Solaris finger bug, Joep Vesseur
Indexes:  [Date] [Thread] [Top] [All Lists]