Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1995_1

Bugtraq archives for 1st quarter (Jan-Mar) 1995: Re: GNU finger 1.37 executes ~/.fingerrc with gid root

Re: GNU finger 1.37 executes ~/.fingerrc with gid root

Christian Wettergren (cweit.kth.se)
Mon, 20 Mar 95 11:26:04 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Saeid Sadeghi: "cancel subscription"
Previous message: Perry E. Metzger: "Re: Non-PK encryption not vulnerable via low key length?!"
In reply to: Thomas Roessler: "GNU finger 1.37 executes ~/.fingerrc with gid root"

| There is a bug in the `lib/site/userinfo.c' module of GNU finger version
| 1.37 allowing any user on a system to execute arbitrary commands with gid
| root from ~/.fingerrc. The problem is that GNU finger *first* changes its
| userid thus giving away root privileges and *then* tries to change its gid
| which will not succeed.

I would feel much more comfortable if the return values of setuid() and 
setgid() was checked. The current setup assumes the daemon is run as root.
If it is not (it wasn't at our site of "historical" reasons) it will 
keep it's spawned identity, not changing it at all. Without discovering this.

|        	  /* Set uid/gid */
| - 	  setuid (user->pw_uid);
|   	  setgid (user->pw_gid);
|   
|   	  /* Set default directory */
|   	  chdir (user->pw_dir);
|   
|   	  /* Run ~/.fingerrc through user shell */
|   #ifdef FINGERRC_SHELL
|   	  execlp (FINGERRC_SHELL, FINGERRC_SHELL, "-c", file, NULL);
|   #else	  
|   	  execlp (user->pw_shell, user->pw_shell, "-c", file, NULL);
|   #endif

/Christian Wettergren, cweit.kth.se

Next message: Saeid Sadeghi: "cancel subscription"
Previous message: Perry E. Metzger: "Re: Non-PK encryption not vulnerable via low key length?!"
In reply to: Thomas Roessler: "GNU finger 1.37 executes ~/.fingerrc with gid root"