FreeBSD fingerd File Disclosure Vulnerability

Solution:
From FreeBSD Advisory FreeBSD-SA-00:54 (attached in full in Credits section):

Solution

One of the following:

1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE dated after
the correction date.

2) Apply the patch below and rebuild your fingerd binary.

Either save this advisory to a file, or download the patch and
detached PGP signature from the following locations, and verify the
signature using your PGP utility.

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:54/fingerd.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:54/fingerd.patch.asc

# cd /usr/src/usr.bin/finger
# patch -p < /path/to/patch_or_advisory
# make all install
# cd /usr/src/libexec/fingerd
# make all install

Patch for vulnerable 4.1.x systems:

Index: finger.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/finger/finger.c,v
retrieving revision 1.15.2.3
retrieving revision 1.21
diff -u -r1.15.2.3 -r1.21
--- finger.c 2000/09/15 21:51:00 1.15.2.3
+++ finger.c 2000/10/05 15:56:13 1.21
@@ -293,6 +293,16 @@
goto net;

/*
+ * Mark any arguments beginning with '/' as invalid so that we
+ * don't accidently confuse them with expansions from finger.conf
+ */
+ for (p = argv, ip = used; *p; ++p, ++ip)
+ if (**p == '/') {
+ *ip = 1;
+ warnx("%s: no such user", *p);
+ }
+
+ /*
* Traverse the finger alias configuration file of the form
* alias:(user|alias), ignoring comment lines beginning '#'.
*/
@@ -323,11 +333,11 @@
* gathering the traditional finger information.
*/
if (mflag)
- for (p = argv; *p; ++p) {
- if (**p != '/' || !show_text("", *p, "")) {
+ for (p = argv, ip = used; *p; ++p, ++ip) {
+ if (**p != '/' || *ip == 1 || !show_text("", *p, "")) {
if (((pw = getpwnam(*p)) != NULL) && !hide(pw))
enter_person(pw);
- else
+ else if (!*ip)
warnx("%s: no such user", *p);
}
}



 

Privacy Statement
Copyright 2010, SecurityFocus