[15229] in bugtraq
Re: innd 2.2.2 remote buffer overflow
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Tue Jun 6 18:26:02 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0006052244340.9425-100000@dione.ids.pl>
Date: Mon, 5 Jun 2000 22:46:25 +0200
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-To: Russ Allbery <rra@stanford.edu>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <ylya4ifuyd.fsf@windlord.stanford.edu>
On 6 Jun 2000, Russ Allbery wrote:
> Note that this code is only ever executed if the option
> "verifycancels" is enabled in inn.conf. This is *not* the default,
> and has been recommended against for some time now since it really
> doesn't do any real good.
It is enabled by default in RH, and usually is enabled on live innd sites.
> Note that due to the syntax checking INN performs on message IDs, this
> will be mildly difficult to exploit, although it's probably at least
> theoretically possible.
It is exploitable :)
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
