|
Vulnerability in.fingerd Affected DGUX Description George Imburgia posted about another old bug that won't die. The finger daemon that ships with dgux will allow a remote user to pipe commands, often with uid root or bin. To check for this vulnerability, simply use the RFC compliant syntax; finger /W@host If it returns something like this, it may be vulnerable; Login name: /W In real life: ??? To see the uid in.fingerd is running as, try this; finger "|/bin/id@host" Often, you will see something like this; uid=0(root) gid=0(root) or; uid=2(bin) gid=2(bin) groups=2(bin),3(sys),5(mail) Solution 1) disable fingerd, 2) use tcpwrappers, and have a wrapper program check for the offending pipe and other shell specials, 3) find a third party fingerd that DOESN'T have this wide open door to root. Apparently it's fixed in MU03. DG/UX is officially up to 4.11MU04 with 4.20 coming soon.