From BUGTRAQ announce (by Megyer Laszlo <abulla@FREEMAIL.HU>):
Following the recent habits, I break the advisory into 4 parts:
OVERVIEW:
---------
There is a critical bug in cfingerd daemon <= 1.4.3, (a classic format
bug)
that makes possible to acquire full control over the remote machine if it
runs
the cfingerd program, the configurable and secure finger daemon.
In 3 words: REMOTE ROOT VULNERABILITY
DESCRIPTION:
------------
The bug occurs in main.c, line 245, 258 and 268:
<------ syslog(LOG_NOTICE, (char *) syslog_str);
We can control the syslog_str with our ident user, that goes directly to
the secont parameter of syslog(). Using %n and some tricks, we can overwrite
anything in the daemon's memory, including the saved eip register.
The more or less proper usage of syslog this time is here:
------> syslog(LOG_NOTICE, "%s", (char *) syslog_str);
There are many papers about format bugs, so I don't write detailed infos
about it.