CVE-1999-0492
CVSS10.0
发布时间 :1999-04-23 00:00:00
修订时间 :2005-10-20 00:00:00
NMOE    

[原文]The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses.


[CNNVD]CNNVD数据暂缺。


[机译]ffingerd 1.19允许远程攻击者在目标系统上根据其反应来识别用户。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0492
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0492
(官方数据源) NVD

- 其它链接及资源

- 漏洞信息 (20327)

GNU Ffingerd 1.19 Username Validity Disclosure Vulnerability (EDBID:20327)
unix remote
1999-08-23 Verified
0 Eilon Gishri
N/A [点击下载]
source: http://www.securityfocus.com/bid/1841/info

A vulnerability in Ffingerd version 1.19, the popular remote user-information server, which allows a remote user to determine whether or not a given username exists on the system.

Normally, if a user has declined to be open to finger requests, a finger attempt will elicit this response: 

'That user does not want to be fingered'

However, if a remote user attempts to finger a nonexistent username, the attempt will return the default message:

'That user does not want to be fingered.'

The extra '.' at the end of the second message reveals that the message was generated as a result of an attempt to finger a nonexistent user, as opposed to one who simply does not wish to be fingered. As a result, an attacker familiar with the discrepancy between the two failure message strings will be able to test the validity of usernames. Having this information can assist an attacker in carrying other compromises of system security.

finger username@host		

- 漏洞信息

5948
ffingerd .nofinger Remote User Enumeration
Remote / Network Access Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

ffingerd contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a user creates a .nofinger file in his home directory to prevent finger attempts. This instructs ffingerd to return the message, "The user does not wish to be fingered," without a trailing period. This message is different from the message generated when a user does not exist at all, which does include the trailing period.

- 时间线

1999-04-23 Unknow
1999-04-23 Unknow

- 解决方案

Upgrade to version 1.20 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: remove the world execute permissions from your home directory using chmod. See the chmod man page for details.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站