From owner-freebsd-bugs Thu Jan 8 19:10:13 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id TAA02262 for bugs-outgoing; Thu, 8 Jan 1998 19:10:13 -0800 (PST) (envelope-from owner-freebsd-bugs) Received: (from gnats@localhost) by hub.freebsd.org (8.8.7/8.8.7) id TAA02233; Thu, 8 Jan 1998 19:10:04 -0800 (PST) (envelope-from gnats) Date: Thu, 8 Jan 1998 19:10:04 -0800 (PST) Message-Id: <199801090310.TAA02233@hub.freebsd.org> To: freebsd-bugs Cc: From: Marc Slemko Subject: Re: bin/5434: "backdoor" in fingerd allows execution of commands Reply-To: Marc Slemko Sender: owner-freebsd-bugs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk The following reply was made to PR bin/5434; it has been noted by GNATS. From: Marc Slemko To: fosters@dvalley.demon.co.uk Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: bin/5434: "backdoor" in fingerd allows execution of commands Date: Thu, 8 Jan 1998 17:47:41 -0700 (MST) On Mon, 5 Jan 1998 fosters@dvalley.demon.co.uk wrote: > >Description: > > When finger'ing a username surrounded by ` marks, fingerd will execute > the command enclosed in the ` marks. > > >How-To-Repeat: > > At a shell prompt type: > > % finger `ls` No. Your shell is interpreting the backtics. > > Will give a directory listing of the current directory. If you telnet > to port 79, you can use it almost like a shell.. e.g. > > % telnet localhost 79 > > then type: > > `rm -R /` > > and say goodbye to /. fingerd was running as root on my system, bad Go ahead and try it. It won't work. BTW, I don't think it is fingerd running as root. If anything, it is you running as root when you try it from a shell prompt. If fingerd is running as root, then you probably changed it.