Finger Bomb contents.gifindex.gif

Finger Bomb

Some finger daemons allow redirecting the finger to remote sites. To finger through several sites, an intruder could use:

finger username@hostA@hostB

The finger will go through hostB then to hostA. This helps hackers cover their tracks because hostA will see a finger coming from hostB instead of the original service. This technique has been used to go through firewalls themselves if they are not properly configured. This can happen by using the command

finger user@host@firewall

A denial of service attack may happen when an intruder types:

finger username@@@@@@@@@@@@@@@@@@@@@hostA

The repeated @ causes the finger to recursively finger the same machine repeatedly till the memory and hard drive swap space fill up. This causes the machine to crash or slow to an unusable speed.

Risk: Medium

Fix: Disable fingerd by commenting out the finger line in inetd.conf and kill -HUP inetd process. Some finger daemons such as GNU finger allow you to turn off redirection.

Patch: GNU Finger