[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Pinky command

From: Bob Proulx
Subject: Re: Pinky command
Date: Wed, 11 Nov 2009 18:15:32 -0700
User-agent: Mutt/1.5.18 (2008-05-17)

address@hidden wrote:
> In old days, attackers used to create .project symbolic to passwd
> and group files to get the List of login ids and group via
> fingerd.

The list of uids are already public in the /etc/passwd file.  That file
is already world readable.  Therefore it isn't clear to me how using
another command makes this a vulnerability.

> I guess, Sun had fixed this long back in Solaris. However
> in pinky, I can use symbolic link to /etc/passwd and /etc/group.

Do you have any references on the fix for this attack vector?

> $ cd  <--- Go to home dir 
> $ ln -s .project  /etc/passwd 

Obviously that should be switched. :-)

> $ pinky -l  mylogin 
> Pinky follows symlink of .project. I guess, Pinky should avoid .project
> if it is a symlink. 

Compare this "attack":

  $ ln -s /etc/passwd .project
  $ cat .project

To this one:

  $ cat /etc/passwd

How is finger/pinky more vulnerable than cat?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]