[1301] in bugtraq
GNU finger 1.37 executes ~/.fingerrc with gid root
daemon@ATHENA.MIT.EDU (Thomas Roessler)
Sat Mar 18 06:42:11 1995
To: bug-gnu-utils@gnu.ai.mit.edu, bugtraq@fc.net
Date: Fri, 17 Mar 1995 12:42:02 +0100 (MET)
From: "Thomas Roessler" <roessler@sobolev.cologne.de>
Cc: roessler@sobolev.cologne.de (Thomas Roessler)
There is a bug in the `lib/site/userinfo.c' module of GNU finger version
1.37 allowing any user on a system to execute arbitrary commands with gid
root from ~/.fingerrc. The problem is that GNU finger *first* changes its
userid thus giving away root privileges and *then* tries to change its gid
which will not succeed.
Greetings, Thomas
*** userinfo.c.orig Fri Mar 17 12:12:28 1995
--- userinfo.c Fri Mar 17 12:12:37 1995
***************
*** 241,262 ****
dup (fileno (*streamp));
}
if (fileno (*streamp) != 2)
{
close (2);
dup (fileno (*streamp));
}
/* Set uid/gid */
- setuid (user->pw_uid);
setgid (user->pw_gid);
/* Set default directory */
chdir (user->pw_dir);
/* Run ~/.fingerrc through user shell */
#ifdef FINGERRC_SHELL
execlp (FINGERRC_SHELL, FINGERRC_SHELL, "-c", file, NULL);
#else
execlp (user->pw_shell, user->pw_shell, "-c", file, NULL);
#endif
--- 241,262 ----
dup (fileno (*streamp));
}
if (fileno (*streamp) != 2)
{
close (2);
dup (fileno (*streamp));
}
/* Set uid/gid */
setgid (user->pw_gid);
+ setuid (user->pw_uid);
/* Set default directory */
chdir (user->pw_dir);
/* Run ~/.fingerrc through user shell */
#ifdef FINGERRC_SHELL
execlp (FINGERRC_SHELL, FINGERRC_SHELL, "-c", file, NULL);
#else
execlp (user->pw_shell, user->pw_shell, "-c", file, NULL);
#endif
--
roessler@rhein.iam.uni-bonn.de * roessler@sobolev.cologne.de
MURPHY'S LAW:
If anything can go wrong, it will.
