Re: in.fingerd follows sym-links on Solaris 8

["J. Bol" <j.bol () itsec nl>]

On a Solaris 8, i386 machine, I did the following:

$ ls -al
drwxr-xr-x  4  j      other   512 May 28, 14:12 .
drwxr-xr-x  5  root   root    512 May 28, 14:10 ..
lrwxrwxrwx  1  j      other     6 May 28, 14:12 .plan -> myplan
-rw-------  1  nobody nobody   17 May 28, 14:12 myplan
$ finger -l j@localhost
[localhost]
Login name: j
Directory name: /export/home/j           Shell: /bin/sh
Last login Mon May 28, 14:12 on console from :0
No unread mail.
No plan.

After I changed the mod of myplan to world-readable, finger gave me

$ finger -l j@localhost
[localhost]
Login name: j
Directory name: /export/home/j           Shell: /bin/sh
Last login Mon May 28, 14:12 on console from :0
No unread mail.
Plan:
This is my plan.

So I'd say in.fingerd is not vulnerable for the symlink attack you
describe.

J. Bol

Lukasz Luzar wrote:

> Hello,
>
>  Ok, the example wasn't good.
>  It was a long day for me, thus, please forgive me that slip-up.
>
>  The sym-links attack is very useful when you want to read
>  files that are readable only by unprivileged user.
>
>  On example, many httpd servers works with the same privilages,
>  it means that you can read any CGI temporary file, and other
>  files readable only by CGI scripts.
>
>  I think about a case where a CGI script saves some important
>  information in a temporary file, like PHP do with the sessions:
>
>   -rw------- 1 nobody nobody    329 May 14 12:16  /tmp/sess_0cd156a633
>
>  When you have installed in.fingerd, and the in.fingerd is vulnerable,
>  all local users are able to read the information from the files.
>
>  There are few other examples.
>
> --
> Lukasz Luzar
> http://Developers.of.PL/
> Crede quod habes, et habes