Bugtraq mailing list archives
GNU finger 1.37 executes ~/.fingerrc with gid root
From: roessler () sobolev cologne de (Thomas Roessler)
Date: Fri, 17 Mar 1995 12:42:02 +0100 (MET)
There is a bug in the `lib/site/userinfo.c' module of GNU finger version
1.37 allowing any user on a system to execute arbitrary commands with gid
root from ~/.fingerrc. The problem is that GNU finger *first* changes its
userid thus giving away root privileges and *then* tries to change its gid
which will not succeed.
Greetings, Thomas
*** userinfo.c.orig Fri Mar 17 12:12:28 1995
--- userinfo.c Fri Mar 17 12:12:37 1995
***************
*** 241,262 ****
dup (fileno (*streamp));
}
if (fileno (*streamp) != 2)
{
close (2);
dup (fileno (*streamp));
}
/* Set uid/gid */
- setuid (user->pw_uid);
setgid (user->pw_gid);
/* Set default directory */
chdir (user->pw_dir);
/* Run ~/.fingerrc through user shell */
#ifdef FINGERRC_SHELL
execlp (FINGERRC_SHELL, FINGERRC_SHELL, "-c", file, NULL);
#else
execlp (user->pw_shell, user->pw_shell, "-c", file, NULL);
#endif
--- 241,262 ----
dup (fileno (*streamp));
}
if (fileno (*streamp) != 2)
{
close (2);
dup (fileno (*streamp));
}
/* Set uid/gid */
setgid (user->pw_gid);
+ setuid (user->pw_uid);
/* Set default directory */
chdir (user->pw_dir);
/* Run ~/.fingerrc through user shell */
#ifdef FINGERRC_SHELL
execlp (FINGERRC_SHELL, FINGERRC_SHELL, "-c", file, NULL);
#else
execlp (user->pw_shell, user->pw_shell, "-c", file, NULL);
#endif
--
roessler () rhein iam uni-bonn de * roessler () sobolev cologne de
MURPHY'S LAW:
If anything can go wrong, it will.
Current thread:
- Re: Non-PK encryption not vulnerable via low key length?! der Mouse (Mar 16)
- <Possible follow-ups>
- Re: Non-PK encryption not vulnerable via low key length?! Software Test Account (Mar 16)
- Re: Non-PK encryption not vulnerable via low key length?! Perry E. Metzger (Mar 16)
- Re: Non-PK encryption not vulnerable via low key length?! Stan Barber (Mar 16)
- Re: Non-PK encryption not vulnerable via low key length?! smb () research att com (Mar 17)
- Re: Non-PK encryption not vulnerable via low key length?! John F. Haugh II (Mar 25)
- Re: Non-PK encryption not vulnerable via low key length?! sameer (Mar 25)
- Re: Non-PK encryption not vulnerable via low key length?! Software Test Account (Mar 25)
- Re: Non-PK encryption not vulnerable via low key length?! John F. Haugh II (Mar 25)
- Re: Non-PK encryption not vulnerable via low key length?! Jake Hill (Mar 17)
- Re: Non-PK encryption not vulnerable via low key length?! John B. Brown (Mar 17)
- GNU finger 1.37 executes ~/.fingerrc with gid root Thomas Roessler (Mar 17)
- Re: GNU finger 1.37 executes ~/.fingerrc with gid root Christian Wettergren (Mar 20)
- cancel subscription Saeid Sadeghi (Mar 20)
- Re: Non-PK encryption not vulnerable via low key length?! Julian Assange (Mar 17)
- nfsbug leaving file systems mounted Dr. Frederick B. Cohen (Mar 18)
- GNU finger 1.37 executes ~/.fingerrc with gid root Thomas Roessler (Mar 17)
- Re: Non-PK encryption not vulnerable via low key length?! John B. Brown (Mar 17)
- Re: Non-PK encryption not vulnerable via low key length?! Perry E. Metzger (Mar 18)