[178] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

GNU finger 1.37 executes ~/.fingerrc with gid root (fwd)

daemon@ATHENA.MIT.EDU (Elias Levy)
Sat Mar 18 19:13:45 1995

Date: Sat, 18 Mar 1995 11:21:52 -0800 (PST)
From: Elias Levy <elias@power.net>
To: linux-security@tarsier.cv.nrao.edu

This may be interesting to linux admins. Enjoy.

elias@power.net (Elias Levy)
PowerNet, Inc.

---------- Forwarded message ----------
Date: Fri, 17 Mar 1995 12:42:02 +0100 (MET)
From: Thomas Roessler <roessler@sobolev.cologne.de>
To: bug-gnu-utils@gnu.ai.mit.edu, bugtraq@fc.net
Cc: Thomas Roessler <roessler@sobolev.cologne.de>
Subject: GNU finger 1.37 executes ~/.fingerrc with gid root

There is a bug in the `lib/site/userinfo.c' module of GNU finger version
1.37 allowing any user on a system to execute arbitrary commands with gid
root from ~/.fingerrc. The problem is that GNU finger *first* changes its
userid thus giving away root privileges and *then* tries to change its gid
which will not succeed.

Greetings, Thomas


*** userinfo.c.orig	Fri Mar 17 12:12:28 1995
--- userinfo.c	Fri Mar 17 12:12:37 1995
***************
*** 241,262 ****
  	      dup (fileno (*streamp));
  	    }
  
  	  if (fileno (*streamp) != 2)
  	    {
  	      close (2);
  	      dup (fileno (*streamp));
  	    }
  
       	  /* Set uid/gid */
- 	  setuid (user->pw_uid);
  	  setgid (user->pw_gid);
  
  	  /* Set default directory */
  	  chdir (user->pw_dir);
  
  	  /* Run ~/.fingerrc through user shell */
  #ifdef FINGERRC_SHELL
  	  execlp (FINGERRC_SHELL, FINGERRC_SHELL, "-c", file, NULL);
  #else	  
  	  execlp (user->pw_shell, user->pw_shell, "-c", file, NULL);
  #endif
--- 241,262 ----
  	      dup (fileno (*streamp));
  	    }
  
  	  if (fileno (*streamp) != 2)
  	    {
  	      close (2);
  	      dup (fileno (*streamp));
  	    }
  
       	  /* Set uid/gid */
  	  setgid (user->pw_gid);
+ 	  setuid (user->pw_uid);
  
  	  /* Set default directory */
  	  chdir (user->pw_dir);
  
  	  /* Run ~/.fingerrc through user shell */
  #ifdef FINGERRC_SHELL
  	  execlp (FINGERRC_SHELL, FINGERRC_SHELL, "-c", file, NULL);
  #else	  
  	  execlp (user->pw_shell, user->pw_shell, "-c", file, NULL);
  #endif
-- 
roessler@rhein.iam.uni-bonn.de * roessler@sobolev.cologne.de
MURPHY'S LAW:
  If anything can go wrong, it will.
home help back first fref pref prev next nref lref last post