Hello vuln-dev, First, this vulnerability has no relation to Berkley (BSD) fingerd. Buggy application is "Doug's WWW Finger Gateway". Second, as it was noted for many times, %0a encoding is hexadecimal ASCII, not Unicode encoding, so phrase "This bug can be exploited with Unicode / CGI Decode exploit from Microsoft called Internet Explorer." is funny, but completely mess. --Wednesday, November 21, 2001, 2:23:26 AM, you wrote to vuln-devat_private: vd> Hi everyone! vd> We have discovered a remote vulnerability in Berkeley finger, which is vd> somewhat trivial to exploit. The vendor has been notified and now is the vd> time for the hole to be fully disclosed to the security community. vd> Attached to this submission is our advisory + full working exploit. vd> Remember to use the information responsibly. vd> Happy hacking. vd> The GOBBLES Research Team vd> http://www.bugtraq.org -- ~/ZARAZA Машина оказалась способной к единственному действию, а именно умножению 2x2, да и то при этом ошибаясь. (Лем)
This archive was generated by hypermail 2b30 : Wed Nov 21 2001 - 08:17:32 PST