Date: Mon, 5 Jan 1998 00:21:05 -0500 (EST) From: fosters@dvalley.demon.co.uk To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: bin/5434: "backdoor" in fingerd allows execution of commands Message-ID: <199801050521.AAA01286@dvalley.demon.co.uk> Resent-Message-ID: <199801082230.OAA09149@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 5434 >Category: bin >Synopsis: "backdoor" in fingerd allows execution of commands >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jan 8 14:30:13 PST 1998 >Last-Modified: >Originator: Tom Bampton >Organization: Eden Developments >Release: FreeBSD 2.2.5-RELEASE i386 >Environment: All environments >Description: When finger'ing a username surrounded by ` marks, fingerd will execute the command enclosed in the ` marks. >How-To-Repeat: At a shell prompt type: % finger `ls` Will give a directory listing of the current directory. If you telnet to port 79, you can use it almost like a shell.. e.g. % telnet localhost 79 then type: `rm -R /` and say goodbye to /. fingerd was running as root on my system, bad news! >Fix: Comment out fingerd from the inetd.conf and reboot or kill -HUP 126 >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199801050521.AAA01286>