Note: The red stoplight on this page indicates the highest possible severity level for this category of vulnerabilities. The actual severity level is indicated by the dot beside the link to this tutorial on the previous page.
efingerd, an alternative implementation of the finger daemon, features the ability for users to create scripts which are run when the user is fingered, and to vary the output depending on the origin of the finger request.
10/29/01
A vulnerability in the Solaris finger service allows a remote
attacker to retrieve the full list of account names by querying
the user name "a b c d e f g h". Solaris 2.5 through
8 (SunOS 5.5 through 5.8) are affected by this vulnerability.
CVE 2000-0915
A vulnerability in the FreeBSD finger service allows a remote attacker
to view a file on the server by putting the full pathname
to the file in place of the user name in the finger request.
FreeBSD 4.1.1 is affected by this vulnerability.
3/22/02
CVE 2002-0423
efingerd copies the host name returned by a reverse DNS lookup
into a fixed-length buffer, resulting in a buffer overflow condition.
An attacker who controls a DNS server could register
a very long host name, thus causing the buffer to overflow when
he or she fingers the vulnerable host. This could lead to a denial
of service or execution of arbitrary code.
CVE 2002-0424
The ability for local users to create scripts which are run
when they are fingered presents another vulnerability. By fingering
oneself, a local user can cause arbitrary commands to be
executed by the efingerd process, resulting
in a possible privilege elevation attack or the ability to cover
one's tracks while carrying out some other attack.
If disabling the service is not possible, apply the appropriate patch. Solaris patches are referenced in Sun Alert Notification 27116. A patch for FreeBSD was posted to Bugtraq.