Home page logo
/

bugtraq logo Bugtraq mailing list archives

"The Finger Server"
From: iwade () OPTUSNET COM AU (Iain Wade)
Date: Fri, 4 Feb 2000 22:36:55 +1100


Hello,

Late last year I was tinkering w/ The Finger Server v0.82 and came
across some bugs which let you execute shell commands under the
privileges of the web server.

It's available at http://www.glazed.org/finger/

I sent a number of messages to the Author but never received a reply ..
I just remembered about it and checked it was still vulnerable and still
being used around the net. It is.

It's just another case of perl doing it's magic on an open() call.

I haven't by any means audited the code, so there is undoubtably other
problems, but here's the offending code I exploited:

    open (PLANS, "$plan_path$filename") ||
            do { print "Can't open $plan_path$filename: $!";
                 return;
               };

It is called with the following arguments;

finger.cgi?action=archives&cmd=specific&filename=99.10.28.15.23.username.plan

It does minimal checking before there, really only making sure the
username is valid, but for example by using:

finger.cgi?action=archives&cmd=specific&filename=99.10.28.15.23.username.|<shell
code>|

you can execute whatever ..

The server I was testing it on was running UBB, and I was easily able to
use this to grab a couple of thousand accounts since it stores them in
cleartext. (I promptly forgot those passwords .. it wouldn't be nice to
do otherwise right? :)

Regards,

--
Iain Wade
iwade () optusnet com au



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault