[19142] in bugtraq
Format string bug in startinnfeed
daemon@ATHENA.MIT.EDU (Paul Starzetz)
Mon Feb 12 17:03:05 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3A87F747.FBBB6E52@starzetz.de>
Date: Mon, 12 Feb 2001 15:46:31 +0100
Reply-To: Paul Starzetz <paul@STARZETZ.DE>
From: Paul Starzetz <paul@STARZETZ.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
1. Description
--------------
The 'startinnfeed' binary contains various format string bugs. Most of
the command line options passes user given arguments to 'syslog()' as
format string. For example:
paul@ps:/usr/home/paul > /usr/lib/news/bin/startinnfeed -a
"%x%x%n%n%n%n%n%n%n"
segmentation fault
paul@ps:/usr/home/paul > /usr/lib/news/bin/startinnfeed -b
"%x%x%n%n%n%n%n%n%n"
Mon Feb 12 15:37:01 2001 innfeed: Not a directory: %x%x%n%n%n%n%n%n%n
segmentation fault
paul@ps:/usr/home/paul > /usr/lib/news/bin/startinnfeed -c
"%x%x%n%n%n%n%n%n%n"
segmentation fault
paul@ps:/usr/home/paul >
The vulnerable package is
Name : inn
Version : 2.2.2
Release : 132
Group : Networking/Daemons
Size : 5764682
Summary : Inter Net News
Description :
Build Date : Mit 20 Sep 2000 20:02:52 CEST
Source RPM : inn-2.2.2-132.src.rpm
Rich Salz's InterNetNews news transport system.
2. Impact
---------
It may be possible to obtain elevated priviledges on vulnerable machines
usually uid=0.
As far as I saw it on SuSE, startinnfeed is not marked executable for
any user, only for the members of the news group (and root of course).
So assuming that some user is able to elevate his priviledges and gain
gid=news, it may be possible to obtain uid=0 as well.
3. Solution
------------
Quick fix: chmod u-s /usr/lib/news/bin/startinnfeed
