Re: GNU finger 1.37 executes ~/.fingerrc with gid root

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Perry E. Metzger: "Re: Non-PK encryption not vulnerable via low key length?!"
• Previous message: Thomas Roessler: "GNU finger 1.37 executes ~/.fingerrc with gid root"
• Maybe in reply to: Thomas Roessler: "GNU finger 1.37 executes ~/.fingerrc with gid root"
• Next in thread: Christian Wettergren: "Re: GNU finger 1.37 executes ~/.fingerrc with gid root"

> There is a bug in the `lib/site/userinfo.c' module of GNU finger version
> 1.37 allowing any user on a system to execute arbitrary commands with gid
> root from ~/.fingerrc. The problem is that GNU finger *first* changes its
> userid thus giving away root privileges and *then* tries to change its gid
> which will not succeed.
> 
> Greetings, Thomas
> 
> 
> [patch deleted]

And it seems (from the lines in your patch) that the initgroups()
call is missing, too.  That would imply that the commands would
inherit the supplementary group IDs from fingerd.
The supplementary group ID set may be empty depending on the
flavour/version of inetd, but it's at least begging for desaster.

I haven't taken a closer look though.  If I'm mistaken and
the initgroups() is explicitely or implicitely there,
I apologize.

joerg

--
Joerg Czeranski                 EMail czeranski@informatik.tu-clausthal.de
Osteroeder Strasse 55                 czeranski@rz.tu-clausthal.de
D 38678 Clausthal-Zellerfeld    WWW   http://www.in.tu-clausthal.de/~injc/

• Next message: Perry E. Metzger: "Re: Non-PK encryption not vulnerable via low key length?!"
• Previous message: Thomas Roessler: "GNU finger 1.37 executes ~/.fingerrc with gid root"
• Maybe in reply to: Thomas Roessler: "GNU finger 1.37 executes ~/.fingerrc with gid root"
• Next in thread: Christian Wettergren: "Re: GNU finger 1.37 executes ~/.fingerrc with gid root"