Carolyn P. Meinel Hall of Shame
Hacking Guide Errata


> GUIDE TO (mostly) HARMLESS HACKING
> 
> Vol. 1 Number 3

> Newbie Note #2: Is your password easy to crack? If you have a shell
> account, you may change it with the command:
> 
>         passwd


'passwd' will not change my password on my ISP. However, if I
type 'yppasswd', it works just fine. You may want to qualify your
statements. If a system is running NIS it changes things. Running 'passwd'
will also be invalid on any system running OTPs (One Time Passwords), or
systems running with system AND individual passwords. I would also
imagine there are a few other cases where 'passwd' would not work.

'passwd' WILL work on standalone unix hosts without any distributed
password scheme.

> That means finger can look in any account. 
> 
> That means if it crashes, you may end up in root.


If a daemon like 'fingerd' received information it can't handle, and for
some weird reason crashes, it will NOT drop you into a root shell.

> Truly elite types will crack into a root account from finger and just
> leave immediately. They say the real rush of cracking comes from being 
> *able* to do anything to boring.ISP.net -- but refusing the temptation.


Hackers/crackers do not crack into a root account from finger. If a system
runs 'fingerd' in such a way that it hands user input to a Ph-style 
database, arbitrary commands may reach the shell. Even then, it relies
on the remote host to run fingerd as root, and for you to have sufficient
skill to code an exploit that will get the unchecked data to the 
system. Not only is that a bunch of "ifs" and "maybes", but several years
of security consulting and incident response and I have yet to see that.

> The bottom line is that any systems adminstrator that leaves the finger
> service running on his/her system is taking a major risk. If you are the
> user of an ISP that allows finger, ask yourself this question: is using
> it to advertise your existence across the Internet worth the risk?


Major risk? It is obvious you have never done security assessment for a
computer system, and never done risk analysis for a network. Finger is
very low risk compared to other network services. Even if you finger
a machine and find out all the users, who is on, machine load, uptime,
and whatever else, what good will that do you unless you revert to
password guessing? Knowing home directories and system paths can be helpful
when writing specific remote attacks that call programs. Knowing user
names and personal information is good for social engineering style
attacks. Running replacement versions of fingerd like 'ffingerd' offer
increased security, user discretion for queries, and detailed logging
of all finger activity.


Now, after all that finger fun, you did not mention a few things.
With finger, we can also possibly use it for a lot of fun on our local
machines (legal or not). There are a few known bugs about finger where
a user can make it execute arbitrary commands as root. Another bug
exists where we can append to any file. Wouldn't it be fun to tell the
admin of a system how you hacked him or her by adding something to the
MOTD? There are also several finger related bugs where we can read any
file on the system via sym-links. To top it off, there is a known bug
where finger can completely crash the machine causing a DOS attack of
sorts.

As for remote finger, you didn't really get into 'finger @@' or
"finger diverting" (using one site to finger another for you). You
really should be thorough and least mention these other things to give
your 'students' an idea of the grand scope.