Bugtraq mailing list archives
Re: in.fingerd vulnerability
From: brian () ASL-LABS BC CA (Brian Hampson)
Date: Wed, 20 Aug 1997 13:55:46 -0700
I made a call to DG, and the person I spoke with said "That's why it's commented out, with a warning about security" So....I reposted the message to the DGUSERS mailing list, and got the following response. We are in the midst of preparing for the upgrade, so I can't verify it. As stated below...apparently it's fixed in MU03. FWIW, DG/UX is officially up to 4.11MU04,with 4.20 coming soon. B. --- BEGIN forwarded message ---------------------------------------------- [...]
This was posted on the BUGTRAQ(large distribution among the security AND hacking communities) mailing list the other day....A HUGE security hole in DGUX's finger. A call to DGUX resulted in a "well...that's why it's commented out by default"... :( I'm in the process of submitting an RFE with DG, but I don't have a lot of hope.
Brian - FYI - This problem is fixed in revision R4.11MU03 and later of DG/UX. William Crosmun Data General Corp.
The only work arounds I can think of are: 1) disable fingerd 2) use tcpwrappers, and have a wrapper program check for the offending pipe and other shell specials 3) find a third party fingerd that DOESN'T have this wide open door to root.
[...] ----------------------------------------------------- -- End of forwarded message ----------------------------------------------------- -- "Vision without action is a daydream. Action without vision is a nightmare" Brian P. Hampson ASL Analytical Service Laboratories Ltd System Administrator, Vancouver, BC (604)253-4188 ----------------- http://www.asl-labs.bc.ca/ ---------------------------- These opinions are MINE I tell you ....all mine!!! (nobody else wants them)
Current thread:
- Re: in.fingerd vulnerability Brian Hampson (Aug 20)