Bugtraq mailing list archives
Re: Forwared to me
From: solar () FALSE COM (Solar Designer)
Date: Fri, 10 Jul 1998 04:41:36 +0400
Hello,
# mv /usr/bin/finger /usr/bin/finger.exe # cat > /usr/bin/finger #!/bin/sh exec /usr/bin/finger.exe -m $* ^D # chmod +x /usr/bin/finger
Hmm, weird, this doesn't look safe to me. Why trust the extra parsing done by the shell? Look at this: sunny:~$ finger "a -b" finger: a -b: no such user. sunny:~$ finger a -b finger: illegal option -- b usage: finger [-lmps] [login ...] Now, many implementations of fingerd just run finger on data received from the remote, doing some sanity checks first, and splitting the arguments for execv(). These checks often include denying passing of some or all options to finger. If fingerd knows about less word separators than the shell does, then an attacker might be able to pass a forbidden option to finger. For example, if our fingerd didn't know about tabs (which isn't a security hole yet: our fingerd uses execv(), remember?), a remote attacker could send us "user\t-option". I admit that the problem isn't serious: not all fingerd's are done this way, forbidden finger options are likely to violate someone's privacy only, etc. Still, it's not a good idea to trust the shell, in general. Signed, Solar Designer
Current thread:
- Re: ncurses 4.1 security bug, (continued)
- Re: ncurses 4.1 security bug Alan Cox (Jul 08)
- Re: ncurses 4.1 security bug Warner Losh (Jul 09)
- Re: ncurses 4.1 security bug David Schwartz (Jul 09)
- Re: ncurses 4.1 security bug matthew green (Jul 10)
- Re: ncurses 4.1 security bug Theo de Raadt (Jul 10)
- Re: ncurses 4.1 security bug Wietse Venema (Jul 12)
- Seattle Lab fixes security issue in SLmail Aleph One (Jul 12)
- Re: ncurses 4.1 security bug David Schwartz (Jul 09)
- sshd gives out version number Tom Dyas (Jul 09)
- Re: Forwared to me Solar Designer (Jul 09)
- Remote count.cgi exploit mods _ _ (Jul 09)
- Re: Remote count.cgi exploit mods Gus (Jul 11)