From owner-freebsd-bugs  Fri Jan  9 14:12:12 1998
Return-Path: <owner-freebsd-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id OAA18785
          for bugs-outgoing; Fri, 9 Jan 1998 14:12:12 -0800 (PST)
          (envelope-from owner-freebsd-bugs)
Received: from hydrogen.nike.efn.org (d182-89.uoregon.edu [128.223.182.89])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA18755
          for <freebsd-bugs@FreeBSD.ORG>; Fri, 9 Jan 1998 14:12:03 -0800 (PST)
          (envelope-from gurney_j@efn.org)
Received: (from jmg@localhost)
          by hydrogen.nike.efn.org (8.8.7/8.8.7) id OAA19265;
          Fri, 9 Jan 1998 14:11:43 -0800 (PST)
Message-ID: <19980109141143.58856@hydrogen.nike.efn.org>
Date: Fri, 9 Jan 1998 14:11:43 -0800
From: John-Mark Gurney <gurney_j@efn.org>
To: Nathan Dorfman <nathan@rtfm.net>
Cc: fosters@dvalley.demon.co.uk, freebsd-bugs@FreeBSD.ORG
Subject: Re: bin/5434
References: <199801090104.RAA05704@freefall.freebsd.org> <19980109160240.12366@rtfm.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.69
In-Reply-To: <19980109160240.12366@rtfm.net>; from Nathan Dorfman on Fri, Jan 09, 1998 at 04:02:40PM -0500
Reply-To: John-Mark Gurney <gurney_j@resnet.uoregon.edu>
Organization: Cu Networking
X-Operating-System: FreeBSD 2.2.1-RELEASE i386
X-PGP-Fingerprint: B7 EC EF F8 AE ED A7 31  96 7A 22 B3 D8 56 36 F4
X-Files: The truth is out there
X-URL: http://resnet.uoregon.edu/~gurney_j/
Sender: owner-freebsd-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Nathan Dorfman scribbled this message on Jan 9:
> > telneting directly to 79 results in:
> > hydrogen,ttyq3,~,501$telnet localhost 79
> > Trying 127.0.0.1...
> > Connected to localhost.
> > Escape character is '^]'.
> > `ls`
> > finger: `ls`: no such user
> > Connection closed by foreign host.
> 
> I have a sneaking suspicion that the original tester of this "backdoor"
> forgot to comment out the ` characters :-) also, did you assume that
> the telnet * 79 trick worked, or did you actually perform it?

read above... I did test it...  as the above paste shows... of course
I made sure that fingerd was nobody, which is was, before trying it..

fingerd doesn't even execute the command...  it was simply a problem
of the person not quoting the ``':
hydrogen,ttyq1,~,502$finger '`ls`@localhost'
[localhost]
finger: `ls`: no such user

-- 
  John-Mark Gurney                          Modem/FAX: +1 541 683 6954
  Cu Networking					  P.O. Box 5693, 97405

  Live in Peace, destroy Micro$oft, support free software, run FreeBSD