<INSERT ASCII BANNER AND ADVERTISING HERE> PRODUCT. akfingerd (http://synflood.at/akfingerd/) EXPLOIT-ID. ECSC Ltd. Official K-R4d E-Security Advertisory. KR4D-VULN-ID-0-000-000-000-000-000-000-000-001 IMPORTANT SOUNDING DESCRIPTION. Akfingerd is a 'secure' finger server used by noone blah blah.. VERSIONS AFFECTED (to make it sound scientific). 0.5, probably all other versions, past and future. LIST OF K-RAD VULNS. 1. Remote user can cause DoS. To reproduce, simply connect to the finger server. For the duration of your connection, no one else can connect. 2. Local user can kill akfingerd. He must simply symlink his .plan file to /dev/urandom. He then fingers his user, while akfingerd is spewing the data, disconnect. Akfingerd fails to handle SIGPIPE properly and exits. 3. User can read files owned by user 'nobody'. ln -s /some/file ~/.plan. Then you can read files owned by nobody. Interestingly enough there is some weird code to lstat() the plan file first, then open it only if lstat() is successful. I have _NO IDEA_ what that is for.... 4. Fails to drop supplementary groups so using exploit 3 you can also read any file group readable by the root group (0) - or any other supplementary groups that root belongs to. VENDOR NOTIFICATION STATUS FULL DISCLOSURE-O-RAMA. I contacted the author months ago (probably more than a year now, I dont have a copy of the email anymore). My problem is that the blurb describes it as a 'secure' finger replacement. To which my only response is no, no it isn't. This software is unlikely to be in use by anyone, but it is interesting to see that that the hardest part of writing secure software is evidently fitting the word in to the title. Security through obscurity? Security through marketing. Unbreakable Trusted Computing(tm). PROOF-OF-CONCEPT HAIKU Connect to finger Stay connected, for a while Cherry blossom falls FIXES/WORKAROUNDS 10 PRINT Don't use it 20 GOTO 10 FINAL THOUGHTS. There are probably other exploits but the code is basically insecure by design and pretty much unsalvagable. That said, try as I might, I completely failed to find a 'cross site scripting' vulnerability in this software. DISCLAIMER (to make me sound sexy and dangerous). Any spelling mistakes are the responisibility of the reader. If you received this email in error then refer to terms and conditions in article 3a. in accordance with the 1972 electronic fraud act and section 1.1b of the Bulgarian obscene conduct in public statute. Your livestock are not affected. (most likely coming soon: akpop3d, tiny-cron, .*secure.*d(a)?emon$, etc etc...) -- // TEAM K-R4D-VULN (fanmail: kr4dvulns at ecsc dot co dot uk) ECSC Ltd. lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import 8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D
This archive was generated by hypermail 2b30 : Thu Dec 05 2002 - 11:04:41 PST