Subject: bin/2456: (security) fingerd allows redirection
To: None <gnats-bugs@NetBSD.ORG, misc@openbsd.org>
From: None <david@mono.org>
List: netbsd-bugs
Date: 05/22/1996 10:51:16
>Number: 2456
>Category: bin
>Synopsis: (security) fingerd allows redirection
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: bin-bug-people (Utility Bug People)
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Wed May 22 06:20:10 1996
>Last-Modified:
>Originator: David Brownlee
>Organization:
Monochrome (http://www.mono.org)
>Release: 1.1B
>Environment:
System: NetBSD orwell.southern.net 1.1B NetBSD 1.1B (_SUN4C_) #0: Tue Apr 2 08:44:20 PST 1996 david@orwell.southern.net:/usr/src/sys/arch/sparc/compile/_SUN4C_ sparc
>Description:
From a posting to BoS by Christopher Klaus <cklaus@iss.net>,
regarding a potential Denial of Service attack, and 'machine hopping'
using fingerd.
[start of text from Christopher Klaus <cklaus@iss.net>]
Finger Bomb - Some finger daemons allow redirecting the finger to remote sites.
To finger through several sites, finger username@hostA@hostB. The finger will
go through hostB then to hostA. This helps hackers cover their tracks
because HostA will see a finger coming from HostB instead of the original
service. This technique has been used to go through firewalls themselves if
they are not properly configured. This can happen by finger
user@host@firewall.
A denial of service attack may happen when a person types:
finger username@@@@@@@@@@@@@@@@@@@@@hostA
The @ repeated causes the finger to recursively finger the same machine
itself repeatedly till the memory and and hard drive swap space fills up and
causes the machine to crash or slow to unusable speeds.
[end of text from Christopher Klaus <cklaus@iss.net>]
>How-To-Repeat:
finger root@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@localhost
and watch your machine go away for a while.
>Fix:
Fingerd should filter out loops to the current host.
Ideally it should have a flag to either enable redirection
(off by default) or to disable it.
>Audit-Trail:
>Unformatted: