From owner-freebsd-bugs Thu Jan 8 19:20:06 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id TAA03428 for bugs-outgoing; Thu, 8 Jan 1998 19:20:06 -0800 (PST) (envelope-from owner-freebsd-bugs) Received: (from gnats@localhost) by hub.freebsd.org (8.8.7/8.8.7) id TAA03412; Thu, 8 Jan 1998 19:20:01 -0800 (PST) (envelope-from gnats) Date: Thu, 8 Jan 1998 19:20:01 -0800 (PST) Message-Id: <199801090320.TAA03412@hub.freebsd.org> To: freebsd-bugs Cc: From: Kevin Day Subject: Re: bin/5434: "backdoor" in fingerd allows execution of commands Reply-To: Kevin Day Sender: owner-freebsd-bugs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk The following reply was made to PR bin/5434; it has been noted by GNATS. From: Kevin Day To: fosters@dvalley.demon.co.uk Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: bin/5434: "backdoor" in fingerd allows execution of commands Date: Thu, 8 Jan 1998 18:32:31 -0600 (CST) > >Description: > > When finger'ing a username surrounded by ` marks, fingerd will execute > the command enclosed in the ` marks. > > >How-To-Repeat: > > At a shell prompt type: > > % finger `ls` > > Will give a directory listing of the current directory. If you telnet > to port 79, you can use it almost like a shell.. e.g. > > % telnet localhost 79 > > then type: > > `rm -R /` > > and say goodbye to /. fingerd was running as root on my system, bad > news! > Correct me if I'm missing something, but..... Your shell is doing what's in the 's, not finger... ls `rm -r /` would have the same effect. The idea is to pipe the output of a command into the command line of another command.. Your telnet example doesn't work for me. bash-2.00$ telnet 204.137.237.2 79 Trying 204.137.237.2... Connected to home.dragondata.com. Escape character is '^]'. `cat /etc/master.passwd` finger: `cat: no such user finger: /etc/master.passwd: no such user Connection closed by foreign host. bash-2.00$ kill -9 `cat /var/run/httpd.pid` comes to mind.... Kevin