Sun Solaris finger后台程序账户泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1189475 漏洞类型 未知
发布时间 2007-08-13 更新时间 2007-08-13
CVE编号 CVE-2007-4310 CNNVD-ID CNNVD-200708-193
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://www.securityfocus.com/bid/85465
https://cxsecurity.com/issue/WLB-2007080063
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-193
|漏洞详情
SunSolaris7版本至9版本的finger后台程序(in.fingerd)允许远程攻击者可以借助一个单一数字组成的请求,例如一个"finger91host"指令,列出所有具有特定非标准GECOS字段的帐号。该漏洞不同于CVE-2001-1503。
|漏洞EXP
Recently, we monitored a cracker from Eastern Europe, who ran 'finger
9@host' against a Solaris 7 box, and got the following result:

Login Name TTY Idle When Where
daemon ??? < . . . . >
bin ??? pts/1 <Oct 2, 2002> xxx.lbl.gov
sys ??? < . . . . >
account1 ??? pts/8 <Jul 20, 2000> yyy.lbl.gov
account2 ??? pts/5 <Dec 17, 1999> zzz.lbl.gov
account3 ??? pts/2 <Jun 30, 2000> aaa.lbl.gov
account4 ??? pts/1 <Feb 17, 2005> bbb.lbl.gov
account5 ??? pts/5 <May 6, 2005> ccc.lbl.gov
account6 ??? pts/9 <Mar 7 15:18> ddd.lbl.gov

This is on a Solaris 7 box with the latest recommended patch set.
This is not the same bug as described here:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1503

Below are snippets of Sun's response:

=========================================================
Sun> The issue you have seen regarding a single digit argument is different
Sun> as this form of ambiguous username returns user information for
accounts
Sun> on the system which meet one of the following criteria:
Sun>
Sun> + an empty GECOS field
Sun> + leading spaces in the GECOS field
Sun> + trailing spaces in the GECOS field
Sun> + a GECOS field with two adjacent spaces

Sun> This latter issue has been addressed in Solaris 10 and later at this
Sun> time under bugID 4432153.

> Thanks for your response. Do you intend to provide patches for older
> OS's?

At this time there aren't any plans to address 4432153 in Solaris 8 or
9. As you may know Solaris 7 is no longer supported. If a service call
was raised with Sun then patches for Solaris 8 and 9 could be generated.

> Under RFC 1288, it seems there should be a mechanism to disable such
> behavior. It certainly is nonintuitive to most folks that 'finger
> 9@host' will display accounts with the GECOS field as described. I
> would also note that other operating systems such as Linux and FreeBSD
> exhibit the behavior that most folks would likely expect:
>
> $ finger 9@localhost
> finger: 9: no such user

There isn't a way to disable such behaviour as far as we can tell
despite the SHOULD in the RFC. We agree the the behaviour of 'finger
9@host' returning information about accounts with "unusual" whitespace
in the GECOS field is non-intuitive and was also considered incorrect
which is why 4432153 was filed.

Hope this helps.
====================================================================

Does anyone know of other platforms which exhibit this odd behavior?

-- 
Jim Mellander
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 486-7204
|受影响的产品
Sun Solaris 7.0
|参考资料

来源:BUGTRAQ
名称:20070727Re:Solarisfingerbug
链接:http://www.securityfocus.com/archive/1/archive/1/474927/100/100/threaded
来源:BUGTRAQ
名称:20070727Solarisfingerbug
链接:http://www.securityfocus.com/archive/1/archive/1/474858/100/100/threaded
来源:SREASON
名称:2996
链接:http://securityreason.com/securityalert/2996