Sun Solaris 7 through 9 finger bug

2007.08.14
Credit: Jim Mellander
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-Other


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Recently, we monitored a cracker from Eastern Europe, who ran 'finger 9@host' against a Solaris 7 box, and got the following result: Login Name TTY Idle When Where daemon ??? < . . . . > bin ??? pts/1 <Oct 2, 2002> xxx.lbl.gov sys ??? < . . . . > account1 ??? pts/8 <Jul 20, 2000> yyy.lbl.gov account2 ??? pts/5 <Dec 17, 1999> zzz.lbl.gov account3 ??? pts/2 <Jun 30, 2000> aaa.lbl.gov account4 ??? pts/1 <Feb 17, 2005> bbb.lbl.gov account5 ??? pts/5 <May 6, 2005> ccc.lbl.gov account6 ??? pts/9 <Mar 7 15:18> ddd.lbl.gov This is on a Solaris 7 box with the latest recommended patch set. This is not the same bug as described here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1503 Below are snippets of Sun's response: ========================================================= Sun> The issue you have seen regarding a single digit argument is different Sun> as this form of ambiguous username returns user information for accounts Sun> on the system which meet one of the following criteria: Sun> Sun> + an empty GECOS field Sun> + leading spaces in the GECOS field Sun> + trailing spaces in the GECOS field Sun> + a GECOS field with two adjacent spaces Sun> This latter issue has been addressed in Solaris 10 and later at this Sun> time under bugID 4432153. > Thanks for your response. Do you intend to provide patches for older > OS's? At this time there aren't any plans to address 4432153 in Solaris 8 or 9. As you may know Solaris 7 is no longer supported. If a service call was raised with Sun then patches for Solaris 8 and 9 could be generated. > Under RFC 1288, it seems there should be a mechanism to disable such > behavior. It certainly is nonintuitive to most folks that 'finger > 9@host' will display accounts with the GECOS field as described. I > would also note that other operating systems such as Linux and FreeBSD > exhibit the behavior that most folks would likely expect: > > $ finger 9@localhost > finger: 9: no such user There isn't a way to disable such behaviour as far as we can tell despite the SHOULD in the RFC. We agree the the behaviour of 'finger 9@host' returning information about accounts with "unusual" whitespace in the GECOS field is non-intuitive and was also considered incorrect which is why 4432153 was filed. Hope this helps. ==================================================================== Does anyone know of other platforms which exhibit this odd behavior? -- Jim Mellander Incident Response Manager Computer Protection Program Lawrence Berkeley National Laboratory (510) 486-7204


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top