What is CVE-1999-1218?

CVE-1999-1218 is a publicly disclosed cybersecurity vulnerability with a LOW severity rating and CVSS score of 2.1.

How to search for CVE vulnerabilities?

You can search the 4nuxd CVE database using CVE IDs, vendor names, product names, or severity levels.

CVE-1999-1218

LOW2.1/ 10.0

Published: February 18, 1993 at 05:00 AM

Modified: April 3, 2025 at 01:03 AM

Source: cve@mitre.org

Vulnerability Description

Vulnerability in finger in Commodore Amiga UNIX 2.1p2a and earlier allows local users to read arbitrary files.

CVSS Metrics

Base Score

2.1

Severity

LOW

Vector String

AV:L/AC:L/Au:N/C:P/I:N/A:N

Weaknesses (CWE)

NVD-CWE-Other

Source: nvd@nist.gov

AI Security Analysis

01 // Technical Summary

Commodore Amiga UNIX 2.1p2a and earlier versions are vulnerable to a critical local file disclosure vulnerability through the finger utility. This allows attackers to read arbitrary files on the system, potentially exposing sensitive information like passwords, configuration files, and user data. Exploitation requires local access, but the impact can be severe, leading to system compromise and data breaches.

02 // Vulnerability Mechanism

Step 1: Local Access: The attacker must have local access to the vulnerable system, either through physical access, an existing compromised account, or another vulnerability.

Step 2: Crafting the Input: The attacker crafts a malicious input string to be passed to the finger utility. This input includes the path to the target file they want to read.

Step 3: Invoking Finger: The attacker executes the finger command with the crafted input, specifying the target file path.

Step 4: File Reading: The finger utility, due to the lack of input validation, reads the contents of the specified file.

Step 5: Information Disclosure: The contents of the target file are displayed to the attacker, revealing sensitive information.

03 // Deep Technical Analysis

The vulnerability stems from a flaw in the finger utility's handling of user-supplied input, specifically related to how it processes file paths. The finger utility, when invoked with a crafted input, fails to properly validate the input, allowing an attacker to specify an arbitrary file path. This leads to the utility reading and displaying the contents of the specified file. The root cause is a lack of input validation and sanitization, allowing the attacker to bypass security checks and access restricted files. This is not a buffer overflow or race condition, but a simple path traversal vulnerability.