From owner-freebsd-bugs  Thu Jan  8 14:30:23 1998
Return-Path: <owner-freebsd-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id OAA09181
          for bugs-outgoing; Thu, 8 Jan 1998 14:30:23 -0800 (PST)
          (envelope-from owner-freebsd-bugs)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id OAA09149;
          Thu, 8 Jan 1998 14:30:17 -0800 (PST)
          (envelope-from gnats)
Resent-Date: Thu, 8 Jan 1998 14:30:17 -0800 (PST)
Resent-Message-Id: <199801082230.OAA09149@hub.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@FreeBSD.ORG, fosters@dvalley.demon.co.uk
Received: from dvalley.demon.co.uk (dvalley.demon.co.uk [158.152.155.21])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id VAA02953
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 4 Jan 1998 21:16:52 -0800 (PST)
          (envelope-from fosters@dvalley.demon.co.uk)
Received: (from fosters@localhost)
	by dvalley.demon.co.uk (8.8.7/8.8.7) id AAA01286;
	Mon, 5 Jan 1998 00:21:05 -0500 (EST)
	(envelope-from fosters)
Message-Id: <199801050521.AAA01286@dvalley.demon.co.uk>
Date: Mon, 5 Jan 1998 00:21:05 -0500 (EST)
From: fosters@dvalley.demon.co.uk
Reply-To: fosters@dvalley.demon.co.uk
To: FreeBSD-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: 3.2
Subject: bin/5434: "backdoor" in fingerd allows execution of commands
Sender: owner-freebsd-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         5434
>Category:       bin
>Synopsis:       "backdoor" in fingerd allows execution of commands
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan  8 14:30:13 PST 1998
>Last-Modified:
>Originator:     Tom Bampton
>Organization:
Eden Developments
>Release:        FreeBSD 2.2.5-RELEASE i386
>Environment:

	All environments

>Description:

	When finger'ing a username surrounded by ` marks, fingerd will execute
	the command enclosed in the ` marks.

>How-To-Repeat:

	At a shell prompt type:
	
	% finger `ls`
	
	Will give a directory listing of the current directory. If you telnet
	to port 79, you can use it almost like a shell.. e.g.
	
	% telnet localhost 79
	
	then type:
	
	`rm -R /`
	
	and say goodbye to /. fingerd was running as root on my system, bad
	news!

>Fix:
	
	Comment out fingerd from the inetd.conf and reboot or kill -HUP 126

>Audit-Trail:
>Unformatted: