Bugtraq mailing list archives
GNU finger 1.37 executes ~/.fingerrc with gid root
From: roessler () sobolev cologne de (Thomas Roessler)
Date: Fri, 17 Mar 1995 12:42:02 +0100 (MET)
There is a bug in the `lib/site/userinfo.c' module of GNU finger version 1.37 allowing any user on a system to execute arbitrary commands with gid root from ~/.fingerrc. The problem is that GNU finger *first* changes its userid thus giving away root privileges and *then* tries to change its gid which will not succeed. Greetings, Thomas *** userinfo.c.orig Fri Mar 17 12:12:28 1995 --- userinfo.c Fri Mar 17 12:12:37 1995 *************** *** 241,262 **** dup (fileno (*streamp)); } if (fileno (*streamp) != 2) { close (2); dup (fileno (*streamp)); } /* Set uid/gid */ - setuid (user->pw_uid); setgid (user->pw_gid); /* Set default directory */ chdir (user->pw_dir); /* Run ~/.fingerrc through user shell */ #ifdef FINGERRC_SHELL execlp (FINGERRC_SHELL, FINGERRC_SHELL, "-c", file, NULL); #else execlp (user->pw_shell, user->pw_shell, "-c", file, NULL); #endif --- 241,262 ---- dup (fileno (*streamp)); } if (fileno (*streamp) != 2) { close (2); dup (fileno (*streamp)); } /* Set uid/gid */ setgid (user->pw_gid); + setuid (user->pw_uid); /* Set default directory */ chdir (user->pw_dir); /* Run ~/.fingerrc through user shell */ #ifdef FINGERRC_SHELL execlp (FINGERRC_SHELL, FINGERRC_SHELL, "-c", file, NULL); #else execlp (user->pw_shell, user->pw_shell, "-c", file, NULL); #endif -- roessler () rhein iam uni-bonn de * roessler () sobolev cologne de MURPHY'S LAW: If anything can go wrong, it will.
Current thread:
- Re: Non-PK encryption not vulnerable via low key length?! der Mouse (Mar 16)
- <Possible follow-ups>
- Re: Non-PK encryption not vulnerable via low key length?! Software Test Account (Mar 16)
- Re: Non-PK encryption not vulnerable via low key length?! Perry E. Metzger (Mar 16)
- Re: Non-PK encryption not vulnerable via low key length?! Stan Barber (Mar 16)
- Re: Non-PK encryption not vulnerable via low key length?! smb () research att com (Mar 17)
- Re: Non-PK encryption not vulnerable via low key length?! John F. Haugh II (Mar 25)
- Re: Non-PK encryption not vulnerable via low key length?! sameer (Mar 25)
- Re: Non-PK encryption not vulnerable via low key length?! Software Test Account (Mar 25)
- Re: Non-PK encryption not vulnerable via low key length?! John F. Haugh II (Mar 25)
- Re: Non-PK encryption not vulnerable via low key length?! Jake Hill (Mar 17)
- Re: Non-PK encryption not vulnerable via low key length?! John B. Brown (Mar 17)
- GNU finger 1.37 executes ~/.fingerrc with gid root Thomas Roessler (Mar 17)
- Re: GNU finger 1.37 executes ~/.fingerrc with gid root Christian Wettergren (Mar 20)
- cancel subscription Saeid Sadeghi (Mar 20)
- Re: Non-PK encryption not vulnerable via low key length?! Julian Assange (Mar 17)
- nfsbug leaving file systems mounted Dr. Frederick B. Cohen (Mar 18)
- GNU finger 1.37 executes ~/.fingerrc with gid root Thomas Roessler (Mar 17)
- Re: Non-PK encryption not vulnerable via low key length?! John B. Brown (Mar 17)
- Re: Non-PK encryption not vulnerable via low key length?! Perry E. Metzger (Mar 18)