Bugtraq mailing list archives
Re: GNU finger 1.37 executes ~/.fingerrc with gid root
From: joerg.czeranski () informatik tu-clausthal de (Joerg Czeranski)
Date: Sat, 18 Mar 1995 17:15:07 +0100
There is a bug in the `lib/site/userinfo.c' module of GNU finger version 1.37 allowing any user on a system to execute arbitrary commands with gid root from ~/.fingerrc. The problem is that GNU finger *first* changes its userid thus giving away root privileges and *then* tries to change its gid which will not succeed. Greetings, Thomas [patch deleted]
And it seems (from the lines in your patch) that the initgroups() call is missing, too. That would imply that the commands would inherit the supplementary group IDs from fingerd. The supplementary group ID set may be empty depending on the flavour/version of inetd, but it's at least begging for desaster. I haven't taken a closer look though. If I'm mistaken and the initgroups() is explicitely or implicitely there, I apologize. joerg -- Joerg Czeranski EMail czeranski () informatik tu-clausthal de Osteroeder Strasse 55 czeranski () rz tu-clausthal de D 38678 Clausthal-Zellerfeld WWW http://www.in.tu-clausthal.de/~injc/
Current thread:
- Re: GNU finger 1.37 executes ~/.fingerrc with gid root Joerg Czeranski (Mar 18)