Vulnerabilities > CVE-2002-2244 - Race Condition vulnerability in Akfingerd 0.5

047910
CVSS 2.1 - LOW
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
local
low complexity
akfingerd
CWE-362
nessus
NVD
Published: 2002-12-31
Updated: 2017-07-29

Summary

Akfingerd 0.5 and earlier versions allow local users to cause a denial of service (crash) via a .plan with a symlink to /dev/urandom or other device, then disconnecting while data is being transferred, which causes a SIGPIPE error that Akfingerd cannot handle.

Vulnerable Configurations

Part Description Count
Application
Akfingerd
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

NASL familyMisc.
NASL idFINGER_AKFINGERD.NASL
descriptionThe remote finger service appears to vulnerable to a remote attack which can disrupt the service of the finger daemon. This denial of service does not affect other services that may be running on the remote computer, only the finger service can be disrupted. akfingerd version 0.5 or earlier is running on the remote host. This daemon has a history of security problems, make sure that you are running the latest version of akfingerd. Versions 0.5 and earlier of akfingerd are vulnerable to a remote denial of service attack. They are also vulnerable to several local attacks.
last seen2020-06-01
modified2020-06-02
plugin id11193
published2002-12-12
reporterThis script is Copyright (C) 2002-2018 Andrew Hintz
sourcehttps://www.tenable.com/plugins/nessus/11193
titleakfingerd 0.5 Multiple Vulnerabilities
code
#
# This script was written by Andrew Hintz <http://guh.nu>
# (It is based on Renaud's template.)
#
# See the Nessus Scripts License for details
#

# Changes by Tenable:
# - Revised plugin title, added additional CVE/BID refs, added solution (6/27/09)
# - Changed family, 'finger abuses' being deprecated (12/15/11)

include("compat.inc");

if (description)
{
 script_id(11193);
 script_version("1.19");
 script_cvs_date("Date: 2018/08/22 16:49:14");

 script_cve_id("CVE-2002-2243", "CVE-2002-2244", "CVE-2002-2274");
 script_bugtraq_id(6323, 6324, 6325);

 script_name(english:"akfingerd 0.5 Multiple Vulnerabilities");
 script_summary(english:"Finger daemon DoS");

 script_set_attribute(attribute:"synopsis", value:"The remote service is vulnerable to several flaws.");
 script_set_attribute(attribute:"description", value:
"The remote finger service appears to vulnerable to a remote attack
which can disrupt the service of the finger daemon. This denial of
service does not affect other services that may be running on the
remote computer, only the finger service can be disrupted.

akfingerd version 0.5 or earlier is running on the remote host. This
daemon has a history of security problems, make sure that you are
running the latest version of akfingerd.

Versions 0.5 and earlier of akfingerd are vulnerable to a remote
denial of service attack. They are also vulnerable to several local
attacks.");
 script_set_attribute(attribute:"solution", value:
"akfingerd is no longer maintained. Disable the service and find an
alternative finger daemon.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(362);

 script_set_attribute(attribute:"plugin_publication_date", value:"2002/12/12");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_GATHER_INFO); #This script should not disrupt the machine at all
 script_copyright(english:"This script is Copyright (C) 2002-2018 Andrew Hintz");
 script_family(english:"Misc.");

 script_dependencies("find_service1.nasl", "finger.nasl");
 script_require_keys("Settings/ParanoidReport");
 script_require_ports("Services/finger", 79);

 exit(0);
}

include("audit.inc");
include("global_settings.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = get_kb_item("Services/finger");
if(!port)port = 79;
if(get_port_state(port))
{
 soc = open_sock_tcp(port);
 if(soc)
 {
  buf = string("[email protected]@127.0.0.1\r\n"); #send request for forwarded finger query
  send(socket:soc, data:buf);
  data = recv(socket:soc, length:96);
  close(soc);
  if("Forwarding is not supported." >< data) #check for forwarding-denial message used by akfingerd
  {
   soc1 = open_sock_tcp(port); #start a connection and leave it open
   if(soc1)
   {
    soc2 = open_sock_tcp(port); #start another connection and issue a request on it
    if(soc2)
    {
     send(socket:soc2, data:buf);
     data2 = recv(socket:soc2, length:96);
     if(!data2) security_warning(port);  #akfingerd won't send a reply on second connection while the first is still open
     close(soc2);
    }
    else security_warning(port);
    close(soc1);
   }
  }
 }
}

References