Thus spake Oswald Buddenhagen on Mon, May 22, 2000 at 07:17:55AM CDT > > It's possible to make .plan or .project to be named pipes, which means that > > the act of reading them can cause code to be executed. If finger executes > > suid root, then said code can execute as root. The potential for mischief > > should be obvious. > > > could you explain this a bit? > from my knowledge trying to read a pipe does not execute any process. if > there is nothing on the other end then there is simply no data available. > and i also cannot imagine, that finger executes the data read from the > .plan and .project files - otherwise anybody could make his files trojan > horses, which attack any user which fingers the evil user. > did i miss something? just curious ...
I may have misspoken on this. I believe that there are exploits involving finger and executable code, but I'm not sure of the details since it's been a while. I gave the issue some thought last night after I posted this and couldn't figure it out either. You can, of course, create a named pipe called .plan and attach an executable to write to it when it's opened for reading, but this process should execute with the permission of the writing process rather than the reading process. The issue of creating symlinks to private system files and being able to read them with a setuid finger is probably more compelling. -- Lindsay Haisley | "Everything works | PGP public key FMP Computer Services | if you let it" | available at [EMAIL PROTECTED] | (The Roadie) | <http://www.fmp.com/pubkeys> http://www.fmp.com | |
