Date: Thu, 8 Jan 1998 19:20:01 -0800 (PST) From: Kevin Day <toasty@home.dragondata.com> To: freebsd-bugs Subject: Re: bin/5434: "backdoor" in fingerd allows execution of commands Message-ID: <199801090320.TAA03412@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/5434; it has been noted by GNATS. From: Kevin Day <toasty@home.dragondata.com> To: fosters@dvalley.demon.co.uk Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: bin/5434: "backdoor" in fingerd allows execution of commands Date: Thu, 8 Jan 1998 18:32:31 -0600 (CST) > >Description: > > When finger'ing a username surrounded by ` marks, fingerd will execute > the command enclosed in the ` marks. > > >How-To-Repeat: > > At a shell prompt type: > > % finger `ls` > > Will give a directory listing of the current directory. If you telnet > to port 79, you can use it almost like a shell.. e.g. > > % telnet localhost 79 > > then type: > > `rm -R /` > > and say goodbye to /. fingerd was running as root on my system, bad > news! > Correct me if I'm missing something, but..... Your shell is doing what's in the 's, not finger... ls `rm -r /` would have the same effect. The idea is to pipe the output of a command into the command line of another command.. Your telnet example doesn't work for me. bash-2.00$ telnet 204.137.237.2 79 Trying 204.137.237.2... Connected to home.dragondata.com. Escape character is '^]'. `cat /etc/master.passwd` finger: `cat: no such user finger: /etc/master.passwd: no such user Connection closed by foreign host. bash-2.00$ kill -9 `cat /var/run/httpd.pid` comes to mind.... Kevin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199801090320.TAA03412>