Re: finger-bombing

Scott Chasin (chasin@crimelab.crimelab.com)
Thu, 13 Oct 94 21:22:48 CDT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Adam Shostack: "Speaking of finger?"
Previous message: Michael Covington: "Re: BBS"
In reply to: James Seng: "Re: finger-bombing"
Next in thread: Tom Fitzgerald: "Re: finger-bombing"

> On Thu, 13 Oct 1994, Tony Jago wrote:
> >      example: finger @brolga.cc.uq.oz.au@archie.au
> >   I am not sure if this a "bug" or not but alot of system allow this sort 
> >   of thing. HP-UX doesn't. SunOS does.
> 
> I don't think this is a bug. Neither it is a feature..it is a common hack 
> many people knows but doesnt seem to have a serious security loophole. 

There is a serious bug in the Ultrix OS which allows a remote finger
request to dump all known user finger profiles back out to the
requestor (this has been known for quite some time).

Example: finger @@some.ultrix.host.com

This would dump all system known users.  The first '@' is translated to
a NULL and fools fingerd into dumping everything.

--

The same hack in a different fashion on SunOS 4.1.x will give random users
profiles (at least from what I have seen.. At one time I thought not).

Example: finger 23234123123123123@some.sunos.host.com

The rather large number has strange effect on fingerd -- I haven't looked
close enought to see what.

--Scott
chasin@crimelab.com

Next message: Adam Shostack: "Speaking of finger?"
Previous message: Michael Covington: "Re: BBS"
In reply to: James Seng: "Re: finger-bombing"
Next in thread: Tom Fitzgerald: "Re: finger-bombing"