Source: cve@mitre.org
Vulnerability in finger in Commodore Amiga UNIX 2.1p2a and earlier allows local users to read arbitrary files.
Commodore Amiga UNIX 2.1p2a and earlier systems are vulnerable to a critical local file disclosure vulnerability in the finger utility. This flaw allows attackers to read arbitrary files on the system, potentially leading to credential theft and complete system compromise. Successful exploitation requires local access, but the impact can be devastating, enabling attackers to bypass security controls and gain unauthorized access to sensitive data.
Step 1: Local Access: The attacker must have local access to the vulnerable system, either through physical access, an existing compromised account, or another vulnerability.
Step 2: Crafting the Input: The attacker crafts a malicious input string containing format string specifiers (e.g., %s, %x, %n). This input is designed to trigger the vulnerability in the finger utility.
Step 3: Executing the Command: The attacker executes the finger command with the crafted input as an argument. For example: finger <malicious_input>.
Step 4: Vulnerability Trigger: The finger utility processes the malicious input, interpreting the format string specifiers.
Step 5: Information Disclosure/Exploitation: The format string specifiers cause the finger utility to read arbitrary memory locations, potentially disclosing sensitive information like passwords, or, in more advanced exploitation, overwrite memory locations to achieve code execution and gain a shell.
The vulnerability stems from a flaw in the finger utility's handling of user-supplied input. Specifically, the finger command, when processing a crafted input string, fails to properly validate the length or content of the input. This leads to a format string vulnerability, allowing an attacker to inject format specifiers (e.g., %s, %x, %n) into the input. These format specifiers are then interpreted by the finger utility, enabling the attacker to read arbitrary memory locations, including sensitive files like /etc/passwd or /etc/shadow, or even overwrite memory locations, leading to code execution. The root cause is a lack of input validation and improper handling of format string arguments within the finger program.
Due to the age of the vulnerability, it's unlikely to be directly targeted by modern APTs. However, any attacker with access to an Amiga UNIX system could exploit this vulnerability. The vulnerability itself is not listed on the CISA KEV catalog because of its age and the limited number of systems still running this software.
Monitor system logs for unusual finger command invocations, especially those with long or unusual arguments.
Analyze process execution logs for the finger process to identify suspicious command-line arguments.
Implement file integrity monitoring to detect unauthorized access or modification of sensitive files (e.g., /etc/passwd, /etc/shadow).
Network-based intrusion detection systems (IDS) can be configured to detect suspicious network traffic patterns if the vulnerability is exploited through a remote vector (unlikely in this case, but possible if finger is somehow exposed remotely).
Patching: The primary remediation is to apply the appropriate security patches for Commodore Amiga UNIX. However, given the age of the software, patches may not be readily available.
Upgrade: If possible, upgrade to a more modern and secure operating system.
Restrict Access: Limit local access to the system. Implement strong password policies and multi-factor authentication (MFA) where possible.
Disable Finger: If the finger utility is not required, disable or remove it from the system. This eliminates the attack vector.
Input Validation: If patching or disabling is not possible, review the source code of the finger utility (if available) and implement robust input validation to prevent format string vulnerabilities. This is a complex and potentially error-prone solution.
File Permissions: Ensure that sensitive files (e.g., /etc/passwd, /etc/shadow) have restrictive file permissions to limit the impact of a successful exploit.