From fosters@dvalley.demon.co.uk  Sun Jan  4 21:16:54 1998
Received: from dvalley.demon.co.uk (dvalley.demon.co.uk [158.152.155.21])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id VAA02953
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 4 Jan 1998 21:16:52 -0800 (PST)
          (envelope-from fosters@dvalley.demon.co.uk)
Received: (from fosters@localhost)
	by dvalley.demon.co.uk (8.8.7/8.8.7) id AAA01286;
	Mon, 5 Jan 1998 00:21:05 -0500 (EST)
	(envelope-from fosters)
Message-Id: <199801050521.AAA01286@dvalley.demon.co.uk>
Date: Mon, 5 Jan 1998 00:21:05 -0500 (EST)
From: fosters@dvalley.demon.co.uk
Reply-To: fosters@dvalley.demon.co.uk
To: FreeBSD-gnats-submit@freebsd.org
Subject: "backdoor" in fingerd allows execution of commands
X-Send-Pr-Version: 3.2

>Number:         5434
>Category:       bin
>Synopsis:       "backdoor" in fingerd allows execution of commands
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan  8 14:30:13 PST 1998
>Closed-Date:    Thu Jan 8 17:01:24 PST 1998
>Last-Modified:  Thu Jan  8 19:20:01 PST 1998
>Originator:     Tom Bampton
>Release:        FreeBSD 2.2.5-RELEASE i386
>Organization:
Eden Developments
>Environment:

	All environments

>Description:

	When finger'ing a username surrounded by ` marks, fingerd will execute
	the command enclosed in the ` marks.

>How-To-Repeat:

	At a shell prompt type:
	
	% finger `ls`
	
	Will give a directory listing of the current directory. If you telnet
	to port 79, you can use it almost like a shell.. e.g.
	
	% telnet localhost 79
	
	then type:
	
	`rm -R /`
	
	and say goodbye to /. fingerd was running as root on my system, bad
	news!

>Fix:
	
	Comment out fingerd from the inetd.conf and reboot or kill -HUP 126

>Release-Note:
>Audit-Trail:

From: Jan Koum <jkb@best.com>
To: fosters@dvalley.demon.co.uk
Cc: FreeBSD-gnats-submit@freebsd.org, GNATS Management <gnats@freebsd.org>,
        freebsd-bugs@hub.freebsd.org
Subject: Re: bin/5434: "backdoor" in fingerd allows execution of commands
Date: Thu, 8 Jan 1998 16:09:35 -0800 (PST)

 On Mon, 5 Jan 1998 fosters@dvalley.demon.co.uk wrote:
 
 >
 >>How-To-Repeat:
 >
 >	At a shell prompt type:
 >	
 >	% finger `ls`
 >	
 >	Will give a directory listing of the current directory. If you telnet
 >	to port 79, you can use it almost like a shell.. e.g.
 >	
 >	% telnet localhost 79
 >	
 >	then type:
 >	
 >	`rm -R /`
 >	
 >	and say goodbye to /. fingerd was running as root on my system, bad
 >	news!
 >
 
 	Did you actually try it on your system?
 
 -- Yan
 
 >>Fix:
 >	
 >	Comment out fingerd from the inetd.conf and reboot or kill -HUP 126
 >
 >>Audit-Trail:
 >>Unformatted:
 >
 
State-Changed-From-To: open->closed 
State-Changed-By: jmg 
State-Changed-When: Thu Jan 8 17:01:24 PST 1998 
State-Changed-Why:  
sounds like you must not of upgraded your inetd.conf... all three 
of the 2.2.1-R boxes, one of the 2.2-stable boxes, and the -current 
source all show that fingerd is run by nobody... and in your example, 
I couldn't even get a directory listing like you said... the closest 
was when I ran finger `ls`, which gave me an error saying finger: xxx 
no such user found for most of the files in my directory... 

telneting directly to 79 results in: 
hydrogen,ttyq3,~,501$telnet localhost 79 
Trying 127.0.0.1... 
Connected to localhost. 
Escape character is '^]'. 
`ls` 
finger: `ls`: no such user 
Connection closed by foreign host. 

From: Marc Slemko <marcs@znep.com>
To: fosters@dvalley.demon.co.uk
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/5434: "backdoor" in fingerd allows execution of commands
Date: Thu, 8 Jan 1998 17:47:41 -0700 (MST)

 On Mon, 5 Jan 1998 fosters@dvalley.demon.co.uk wrote:
 
 > >Description:
 > 
 > 	When finger'ing a username surrounded by ` marks, fingerd will execute
 > 	the command enclosed in the ` marks.
 > 
 > >How-To-Repeat:
 > 
 > 	At a shell prompt type:
 > 	
 > 	% finger `ls`
 
 No.  Your shell is interpreting the backtics.
 
 > 	
 > 	Will give a directory listing of the current directory. If you telnet
 > 	to port 79, you can use it almost like a shell.. e.g.
 > 	
 > 	% telnet localhost 79
 > 	
 > 	then type:
 > 	
 > 	`rm -R /`
 > 	
 > 	and say goodbye to /. fingerd was running as root on my system, bad
 
 Go ahead and try it.  It won't work.
 
 BTW, I don't think it is fingerd running as root.  If anything, it is you
 running as root when you try it from a shell prompt.  If fingerd is
 running as root, then you probably changed it.
 

From: Kevin Day <toasty@home.dragondata.com>
To: fosters@dvalley.demon.co.uk
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/5434: "backdoor" in fingerd allows execution of commands
Date: Thu, 8 Jan 1998 18:32:31 -0600 (CST)

 > >Description:
 > 
 > 	When finger'ing a username surrounded by ` marks, fingerd will execute
 > 	the command enclosed in the ` marks.
 > 
 > >How-To-Repeat:
 > 
 > 	At a shell prompt type:
 > 	
 > 	% finger `ls`
 > 	
 > 	Will give a directory listing of the current directory. If you telnet
 > 	to port 79, you can use it almost like a shell.. e.g.
 > 	
 > 	% telnet localhost 79
 > 	
 > 	then type:
 > 	
 > 	`rm -R /`
 > 	
 > 	and say goodbye to /. fingerd was running as root on my system, bad
 > 	news!
 > 
 
 Correct me if I'm missing something, but..... Your shell is doing what's in
 the 's, not finger...
 
 ls `rm -r /` would have the same effect.
 
 The idea is to pipe the output of a command into the command line of another
 command..
 
 Your telnet example doesn't work for me.
 
 bash-2.00$ telnet 204.137.237.2 79
 Trying 204.137.237.2...
 Connected to home.dragondata.com.
 Escape character is '^]'.
 `cat /etc/master.passwd`
 finger: `cat: no such user
 finger: /etc/master.passwd: no such user
 Connection closed by foreign host.
 bash-2.00$
 
 
 kill -9 `cat /var/run/httpd.pid` 
 
 comes to mind....
 
 
 Kevin
>Unformatted:
