From cmatei@lbi.sfos.ro  Sun Aug 25 20:01:38 1996
Received: from lbi.sfos.ro (cmatei@lbi.sfos.ro [193.226.100.253]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id UAA10362 for <best-of-security@suburbia.net>; Sun, 25 Aug 1996 20:01:32 +1000
Received: (from cmatei@localhost) by lbi.sfos.ro (8.7.5/8.7.3) id NAA01337 for best-of-security@suburbia.net; Sun, 25 Aug 1996 13:01:16 +0200
From: Matei Conovici ~SysAdm~ <cmatei@lbi.sfos.ro>
Message-Id: <199608251101.NAA01337@lbi.sfos.ro>
Subject: cfingerd possible security hole
To: best-of-security@suburbia.net
Date: Sun, 25 Aug 1996 13:01:16 +0200 (GMT+0200)
X-Mailer: ELM [version 2.4 PL24]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit



Hello,

There is a problem with the USERLOG option of cfingerd. If you have cfingerd
installed on your system, immediately check if you enabled the ALLOW_USERLOG
option in /etc/cfingerd.conf. If this is the case, any file on your system
can be damaged.

The cfingerd daemon needs to run as root. If you have enabled the
ALLOW_USERLOG option in /etc/cfingerd.conf, when an incoming finger query
like user@your.system arrives, it will log it in ~user/.fingerlog, if this
file exists.

Exploit:
say i'm user joe.

$ cd ~joe
$ ln -s /etc/shadow .fingerlog
$ finger joe@localhost

The cfingerd daemon will simply follow the symbolic link, without checking
for permissions.

This bug was found by a friend, on our school's linux servers.

Matei Conovici