Apparently (and amazingly) current dgux ships with a finger daemon that allows remote users to pipe commands. IE you can 'finger "|/bin/id@host'. This is made worse because many of these systems apparently run in.fingerd as root (!).
George Imburgia <gti@HOPI.DTCC.EDU>
remotely run arbitrary programs with UID that is running in.fingerd. Sometimes this means you can remotely become root .
dgux, versions unknown.
11 August 1997
If this is true it is rather pathetic!
Date: Mon, 11 Aug 1997 12:32:38 -0400
From: George Imburgia <gti@HOPI.DTCC.EDU>
Subject: dgux in.fingerd vulnerability
Another old bug that won't die.
The finger daemon that ships with dgux will allow a remote user to pipe
commands, often with uid root or bin.
To check for this vulnerability, simply use the RFC compliant syntax;
If it returns something like this, it may be vulnerable;
Login name: /W In real life: ???
To see the uid in.fingerd is running as, try this;
Often, you will see something like this;
uid=2(bin) gid=2(bin) groups=2(bin),3(sys),5(mail)
= George Imburgia =
= Network Specialist, Computer Services =
= Office of the President =
= Delaware Tech =
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: