GNU Ffingerd 1.19 – ‘Username’ Validity Disclosure

GNU Ffingerd 1.19 – ‘Username’ Validity Disclosure

漏洞ID 1105520 漏洞类型
发布时间 1999-08-23 更新时间 1999-08-23
图片[1]-GNU Ffingerd 1.19 – ‘Username’ Validity Disclosure-安全小百科CVE编号 CVE-1999-0492
图片[2]-GNU Ffingerd 1.19 – ‘Username’ Validity Disclosure-安全小百科CNNVD-ID N/A
漏洞平台 Unix CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/20327
|漏洞详情
The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses.
|漏洞EXP
source: http://www.securityfocus.com/bid/1841/info

A vulnerability in Ffingerd version 1.19, the popular remote user-information server, which allows a remote user to determine whether or not a given username exists on the system.

Normally, if a user has declined to be open to finger requests, a finger attempt will elicit this response: 

'That user does not want to be fingered'

However, if a remote user attempts to finger a nonexistent username, the attempt will return the default message:

'That user does not want to be fingered.'

The extra '.' at the end of the second message reveals that the message was generated as a result of an attempt to finger a nonexistent user, as opposed to one who simply does not wish to be fingered. As a result, an attacker familiar with the discrepancy between the two failure message strings will be able to test the validity of usernames. Having this information can assist an attacker in carrying other compromises of system security.

finger username@host

相关推荐: Metainfo MetaIP and Sendmail Vulnerabilities

Metainfo MetaIP and Sendmail Vulnerabilities 漏洞ID 1104919 漏洞类型 Unknown 发布时间 1998-06-30 更新时间 1998-06-30 CVE编号 N/A CNNVD-ID N/A 漏洞平台…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享