Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: in.fingerd vulnerability
From: brian () ASL-LABS BC CA (Brian Hampson)
Date: Wed, 20 Aug 1997 13:55:46 -0700


I made a call to DG, and the person I spoke with said "That's why it's
commented out, with a warning about security"

So....I reposted the message to the DGUSERS mailing list, and got the following
response.  We are in the midst of preparing for the upgrade, so I can't verify
it.

As stated below...apparently it's fixed in MU03.  FWIW, DG/UX is officially up
to 4.11MU04,with 4.20 coming soon.

B.
--- BEGIN forwarded message ----------------------------------------------

[...]

This was posted on the BUGTRAQ(large distribution among the security AND
hacking communities) mailing list the other day....A HUGE security hole in
DGUX's finger.  A call to DGUX resulted in a "well...that's why it's commented
out by default"... :(

I'm in the process of submitting an RFE with DG, but I don't have a lot of
hope.

Brian - FYI - This problem is fixed in revision R4.11MU03 and later of DG/UX.

William Crosmun
Data General Corp.


The only work arounds I can think of are:

1) disable fingerd
2) use tcpwrappers, and have a wrapper program check for the offending pipe and
other shell specials 3) find a third party fingerd that DOESN'T have this wide
open door to root.

[...]

-----------------------------------------------------
 -- End of forwarded message
-----------------------------------------------------
--
"Vision without action is a daydream. Action without vision is a nightmare"

   Brian P. Hampson                  ASL Analytical Service Laboratories Ltd
   System Administrator,             Vancouver, BC (604)253-4188
   ----------------- http://www.asl-labs.bc.ca/ ----------------------------

These opinions are MINE I tell you ....all mine!!! (nobody else wants them)



  By Date           By Thread  

Current thread:
  • Re: in.fingerd vulnerability Brian Hampson (Aug 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]