[4071] in bugtraq
playing buffer overflows on inn
daemon@ATHENA.MIT.EDU (Thomas Roessler)
Wed Feb 19 23:37:23 1997
Date: Wed, 19 Feb 1997 12:11:27 +0100
Reply-To: Thomas Roessler <Thomas.Roessler@SOBOLEV.RHEIN.DE>
From: Thomas Roessler <Thomas.Roessler@SOBOLEV.RHEIN.DE>
To: BUGTRAQ@netspace.org
[part of this mail was already sent to the redhat-users list, part wasn=
't.]
On Feb 18 1997, Erik Troan wrote:
> There is a major security hole in recent versions of INN which allow
> users to gain root access on your systems running them. All users of=
Red
> Hat 4.0 and Red Hat 4.1 are urged to upgrade to the inn-1.5.1-3 packa=
ge
> available from ftp.redhat.com. The same package will work on both 4.0
> and 4.1 systems, and is available from ftp.redhat.com in /updates/4.0
> and /updates/4.1. Users with direct Internet connections can upgrade
> with one of the following commands:
This description is rather unclear. After some search in the sources o=
f
1.4u4, it seems to me that the relevant change in 1.5.1 is changing
case 'S':
master =3D optarg;
break;
(like it is in 1.4u4) to
case 'S':
if (strlen(optarg) >=3D SMBUF - 4)
Usage();
master =3D optarg;
break;
(like it is in 1.5.1) in innd/innd.c since `master' will be used in an
sprintf() statement later (to precise, in rc.c). There are some other
changes in putting together certain strings from inn.conf values, it's =
done
with much more care; I didn't check for any overflows there. Maybe the=
re
are ways for news to gain root access if inn is installed suid root.
In addition, the TZ environment variable has write access to the stack =
in
inndstart, just have a look at the last sprintf() in innd/inndstart.c. =
It
should be possible to exploit this to execute arbitrary commands under =
the
news ID - luckily, root privileges have been given up completely at thi=
s
point. (1.4u4 and 1.5.1).
Yet another buffer overflow can be found in the inews program which run=
s
sgid news on many installations. Breaking this gid can mean injecting =
news
without inews' control or accessing the news system's configuration fil=
e:
Iff inews.c is compiled with DONT_MUNGE_GECOS, innd does
(void)strcpy(outbuff, pwp->pw_gecos);
with a fixed-size local buffer outbuff. (1.4u4 and 1.5.1).
When trying to cancel an article, inews first compares the article's se=
nder
to the local user name. In order to do so, we have the following code:
while (fgets(buff, sizeof buff, FromServer) !=3D NULL) {
if ((p =3D strchr(buff, '\r')) !=3D NULL)
*p =3D '\0';
if ((p =3D strchr(buff, '\n')) !=3D NULL)
*p =3D '\0';
if (buff[0] =3D=3D '.' && buff[1] =3D=3D '\0')
break;
if (EQn(buff, "Sender:", 7))
(void)strcpy(remotefrom, TrimSpaces(&buff[7]));
else if (remotefrom[0] =3D=3D '\0' && EQn(buff, "From:", 5))
(void)strcpy(remotefrom, TrimSpaces(&buff[5]));
}
(identical in 1.5.1 and 1.4u4). remotefrom is a local buffer of a size=
of
SMBUF. SMBUF is configured in config data:
## A general small buffer.
#### =3D()<SMBUF @<SMBUF>@>()=3D
SMBUF 256
- while buff is BUFFSIZ bytes long, on my system that's e.g. 1024 bytes=
.
The overflow should be obvious. At least, it's a configuration option.
tlr
--
Thomas Roessler =B7 74a353cc0b19 =B7 We did it. =B7 http://home.pages.d=
e/~roessler/
