From owner-freebsd-bugs Fri Jan 9 13:23:50 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id NAA14468 for bugs-outgoing; Fri, 9 Jan 1998 13:23:50 -0800 (PST) (envelope-from owner-freebsd-bugs) Received: from limbo.rtfm.net (root@rtfm.net [204.141.125.38]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id NAA14410; Fri, 9 Jan 1998 13:23:25 -0800 (PST) (envelope-from nathan@limbo.rtfm.net) Received: (from nathan@localhost) by limbo.rtfm.net (8.8.8/8.8.8) id QAA28413; Fri, 9 Jan 1998 16:02:40 -0500 (EST) Message-ID: <19980109160240.12366@rtfm.net> Date: Fri, 9 Jan 1998 16:02:40 -0500 From: Nathan Dorfman To: John-Mark Gurney Cc: fosters@dvalley.demon.co.uk, freebsd-bugs@FreeBSD.ORG Subject: Re: bin/5434 References: <199801090104.RAA05704@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88 In-Reply-To: <199801090104.RAA05704@freefall.freebsd.org>; from John-Mark Gurney on Thu, Jan 08, 1998 at 05:04:04PM -0800 Sender: owner-freebsd-bugs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Thu, Jan 08, 1998 at 05:04:04PM -0800, John-Mark Gurney wrote: > Synopsis: "backdoor" in fingerd allows execution of commands > > State-Changed-From-To: open-closed > State-Changed-By: jmg > State-Changed-When: Thu Jan 8 17:01:24 PST 1998 > State-Changed-Why: > sounds like you must not of upgraded your inetd.conf... all three > of the 2.2.1-R boxes, one of the 2.2-stable boxes, and the -current > source all show that fingerd is run by nobody... and in your example, > I couldn't even get a directory listing like you said... the closest > was when I ran finger `ls`, which gave me an error saying finger: xxx > no such user found for most of the files in my directory... > > telneting directly to 79 results in: > hydrogen,ttyq3,~,501$telnet localhost 79 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > `ls` > finger: `ls`: no such user > Connection closed by foreign host. I have a sneaking suspicion that the original tester of this "backdoor" forgot to comment out the ` characters :-) also, did you assume that the telnet * 79 trick worked, or did you actually perform it? -- ________________ _______________________________ / Nathan Dorfman V PGP: finger nathan@rtfm.net / / nathan@rtfm.net | http://www.rtfm.net /