[5073] in bugtraq
Re: perl fingerd stupidity
daemon@ATHENA.MIT.EDU (Greg Bacon)
Fri Aug 1 14:06:34 1997
Date: Fri, 1 Aug 1997 08:30:03 -0500
Reply-To: Greg Bacon <gbacon@CRP-201.ADTRAN.COM>
From: Greg Bacon <gbacon@CRP-201.ADTRAN.COM>
X-To: Chris Terry <chris@viper.net>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Thu, 31 Jul 1997 14:34:43 CDT."
<33E0E8D3.8BCADBE@viper.net>
If that fingerd were run with taint checks on (i.e. #! perl -T), then
it wouldn't be such a huge hole. A better way to have done it would
be something like:
#! /usr/bin/perl -T
require 5; # if you don't have it, upgrade already! :-)
$ENV{PATH} = join ":", qw( /bin /usr/bin );
$user = <STDIN>;
chomp $user;
if (-e "/usr/lib/finger/$user") {
system "perl", "/usr/lib/finger/$user";
}
else {
system "perl", "/usr/lib/finger/default", $user;
}
Note that passing a list to system (or exec) bypasses the shell, so
even if $user eq 'foo; rm -rf /', there is no danger as far as this
script is concerned (it all depends on what those scripts in /usr/lib
are doing with their arguments).
(If you're still wondering about taint checks, -T is just an instruction
to perl telling it that it shouldn't let data from the outside world come
in and be a part of operations that affect the outside world without first
being subject to a thorough looking over.)
Greg
--
open(G,"|gzip -dc");$_=<<EOF;s/[0-9a-f]+/print G pack("h*",$&)/eg
f1b88000b620f22320303fa2d2e21584ccbcf29c84d2258084
d2ac158c84c4ece4d22d1000118a8d5491000000
EOF
