Date: Fri, 9 Jan 1998 16:02:40 -0500 From: Nathan Dorfman <nathan@rtfm.net> To: John-Mark Gurney <jmg@FreeBSD.ORG> Cc: fosters@dvalley.demon.co.uk, freebsd-bugs@FreeBSD.ORG Subject: Re: bin/5434 Message-ID: <19980109160240.12366@rtfm.net> In-Reply-To: <199801090104.RAA05704@freefall.freebsd.org>; from John-Mark Gurney on Thu, Jan 08, 1998 at 05:04:04PM -0800 References: <199801090104.RAA05704@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 08, 1998 at 05:04:04PM -0800, John-Mark Gurney wrote: > Synopsis: "backdoor" in fingerd allows execution of commands > > State-Changed-From-To: open-closed > State-Changed-By: jmg > State-Changed-When: Thu Jan 8 17:01:24 PST 1998 > State-Changed-Why: > sounds like you must not of upgraded your inetd.conf... all three > of the 2.2.1-R boxes, one of the 2.2-stable boxes, and the -current > source all show that fingerd is run by nobody... and in your example, > I couldn't even get a directory listing like you said... the closest > was when I ran finger `ls`, which gave me an error saying finger: xxx > no such user found for most of the files in my directory... > > telneting directly to 79 results in: > hydrogen,ttyq3,~,501$telnet localhost 79 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > `ls` > finger: `ls`: no such user > Connection closed by foreign host. I have a sneaking suspicion that the original tester of this "backdoor" forgot to comment out the ` characters :-) also, did you assume that the telnet * 79 trick worked, or did you actually perform it? -- ________________ _______________________________ / Nathan Dorfman V PGP: finger nathan@rtfm.net / / nathan@rtfm.net | http://www.rtfm.net /
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980109160240.12366>