Re: finger

[Lindsay Haisley <fmouse@fmp.com>]

Thus spake Oswald Buddenhagen on Mon, May 22, 2000 at 07:17:55AM CDT
> > It's possible to make .plan or .project to be named pipes, which means that
> > the act of reading them can cause code to be executed.  If finger executes
> > suid root, then said code can execute as root.  The potential for mischief
> > should be obvious.
> > 
> could you explain this a bit?
> from my knowledge trying to read a pipe does not execute any process. if
> there is nothing on the other end then there is simply no data available.
> and i also cannot imagine, that finger executes the data read from the
> .plan and .project files - otherwise anybody could make his files trojan
> horses, which attack any user which fingers the evil user.
> did i miss something? just curious ...

I may have misspoken on this.  I believe that there are exploits involving
finger and executable code, but I'm not sure of the details since it's been
a while.  I gave the issue some thought last night after I posted this and
couldn't figure it out either.  You can, of course, create a named pipe
called .plan and attach an executable to write to it when it's opened for
reading, but this process should execute with the permission of the writing
process rather than the reading process.  The issue of creating symlinks to
private system files and being able to read them with a setuid finger is
probably more compelling.

-- 
Lindsay Haisley       | "Everything works    |     PGP public key
FMP Computer Services |       if you let it" |      available at
fmouse@fmp.com        |    (The Roadie)      | <http://www.fmp.com/pubkeys>
http://www.fmp.com    |                      |