[7261] in bugtraq
Re: Forwared to me
daemon@ATHENA.MIT.EDU (Illuminatus Primus)
Tue Jul 14 15:41:20 1998
Date: Mon, 13 Jul 1998 12:54:11 -0400
Reply-To: Illuminatus Primus <vermont@gate.net>
From: Illuminatus Primus <vermont@GATE.NET>
X-To: Solar Designer <solar@FALSE.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199807100041.EAA10822@false.com>
On Fri, 10 Jul 1998, Solar Designer wrote:
> > # mv /usr/bin/finger /usr/bin/finger.exe
> > # cat > /usr/bin/finger
> > #!/bin/sh
> > exec /usr/bin/finger.exe -m $*
> > ^D
> > # chmod +x /usr/bin/finger
>
> Hmm, weird, this doesn't look safe to me. Why trust the extra parsing done
> by the shell?
>
Which happens to include filename globbing.
This "fix" will now allow people to do:
finger '/*@hostname'..
Which could reveal a lot more information than finger was intended to..
Not to mention
finger '/*/*/*/*/*@hostname'
.. which might turn out to be a far worse DOS than the original attack.
If we are forced to use a shell,
#!/bin/sh
exec /usr/bin/finger -m "$*"
will prevent the arguments from being globbed, at least with my version of
bash (2.02.0(1)-release).
-Illuminatus Pimpus
vermont@gate.net
