Security hole in cfingerd 1.4.2

Subject: Security hole in cfingerd 1.4.2
From: Peter Todd (pete@home.com)
Date: Thu May 04 2000 - 23:31:06 CEST

• sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Martin Schulze: "Re: Security hole in cfingerd 1.4.2"
• Previous message: Martin Schulze: "Re: development"
• Next in thread: Martin Schulze: "Re: Security hole in cfingerd 1.4.2"
• Reply: Martin Schulze: "Re: Security hole in cfingerd 1.4.2"

You can find out stuff about the file structure of a cfingerd running
system by passing * and ? as fake_user arguments. For instance if you
use the ping fake user script in the examples you can check if /tmp
exists by running finger "ping./tm?@somesite" If /tmp exists ping will
say "Performing a ping to /tmp" if not it will say "Performing a ping
to /tm?"

You don't seem to escape * and ? in the safe_exec() code. I would have
made a patch myself but I didn't know what repercussions that would
have...

Another problem is the ping and trace fake user scripts don't seem to
work when you supply a empty argument to them. For instance finger
ping.@somesite makes ping and trace output some binary junk.

-- 
retep@penguinpowered.com http://retep.tripod.com

• application/pgp-signature attachment: stored

• Next message: Martin Schulze: "Re: Security hole in cfingerd 1.4.2"
• Previous message: Martin Schulze: "Re: development"
• Next in thread: Martin Schulze: "Re: Security hole in cfingerd 1.4.2"
• Reply: Martin Schulze: "Re: Security hole in cfingerd 1.4.2"

This archive was generated by hypermail 2b25 : Thu May 04 2000 - 23:32:46 CEST