[2541] in bugtraq
Re: SunOS 4.1.4 fingerd
daemon@ATHENA.MIT.EDU (Dave Dittrich)
Thu May 16 16:48:08 1996
Date: Thu, 16 May 1996 13:04:07 -0700
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Dave Dittrich <dittrich@cac.washington.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.SUN.3.91.960516152244.20742A-100000@bigdog.fred.net>
On Thu, 16 May 1996, Andy Dills wrote:
> I know I have seen it written up someplace about the flaw when
> finger 0@XXX.com is done. (It shows a finger output on every user, which
> as we know, can be a very useful tool to those with bad intentions)
> ...
> Anyway, I have found that fingering .@XXX.com also yeilds the same result.
The trick, as I learned it, was to use @@XXX.com on Ultrix systems.
After a quick test, I notice that single letters and "." don't work on
Ultrix, but any digit or "@" does. Go figure. Probably some Berkeley
student had a hangover the day they coded finger?
> Thus, we just added a user 0 (zero). Problem fixed.
Looks like you'll have to add a few more users! ;)
--
Dave Dittrich Client Services, Computing & Communications
dittrich@cac.washington.edu University of Washington
<a href="http://www.washington.edu/People/dad/">
Dave Dittrich / dittrich@cac.washington.edu</a>
