Home page logo

bugtraq logo Bugtraq mailing list archives

Re: SunOS 4.1.4 fingerd
From: dittrich () cac washington edu (Dave Dittrich)
Date: Thu, 16 May 1996 13:04:07 -0700

On Thu, 16 May 1996, Andy Dills wrote:

I know I have seen it written up someplace about the flaw when
finger 0 () XXX com is done. (It shows a finger output on every user, which
as we know, can be a very useful tool to those with bad intentions)
Anyway, I have found that fingering . () XXX com also yeilds the same result.

The trick, as I learned it, was to use @@XXX.com on Ultrix systems.
After a quick test, I notice that single letters and "." don't work on
Ultrix, but any digit or "@" does.  Go figure.  Probably some Berkeley
student had a hangover the day they coded finger?

Thus, we just added a user 0 (zero). Problem fixed.

Looks like you'll have to add a few more users! ;)

Dave Dittrich                  Client Services, Computing & Communications
dittrich () cac washington edu    University of Washington

<a href="http://www.washington.edu/People/dad/";>
Dave Dittrich / dittrich () cac washington edu</a>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]