CVE-1999-1089

Step 1: Input Preparation: The attacker crafts a malicious command-line argument that is significantly longer than the allocated buffer within the chfn command's code. This argument typically contains shellcode designed to execute a privileged command (e.g., spawning a root shell).

Step 2: Command Execution: The attacker executes the chfn command with the crafted, oversized argument.

Step 3: Buffer Overflow: The chfn command attempts to process the excessively long argument. Due to the lack of proper bounds checking, the input overflows the allocated buffer.

Step 4: Memory Corruption: The overflow overwrites adjacent memory regions, including potentially the return address on the stack or other critical data.

Step 5: Control Hijack: The attacker's crafted input overwrites the return address with the address of the attacker's injected shellcode or other malicious code.

Step 6: Code Execution: When the chfn command attempts to return, it jumps to the attacker-controlled code, which is then executed with the privileges of the chfn command (often root).

The vulnerability lies within the chfn command, specifically in how it handles command-line arguments. The chfn command, used to change a user's finger information, fails to properly validate the size of input provided via command-line arguments. This leads to a buffer overflow when a crafted, excessively long argument is passed to the command. The overflow overwrites adjacent memory, potentially including critical data like the return address or function pointers. By carefully crafting the malicious input, an attacker can overwrite the return address with the address of a malicious code (shellcode) injected into the program's memory, or overwrite other critical data to redirect program execution to attacker-controlled code. This allows the attacker to execute arbitrary code with the privileges of the chfn command, which typically runs with elevated privileges (often root) during execution, thus leading to privilege escalation.