inn STABLE+DEVEL: security relevant bug

Heiko Schlichting inn-bugs at FU-Berlin.DE
Mon Oct 4 02:29:12 UTC 1999


[Snapshot inn-1999-10-03_03-00 and also in STABLE branch]

When streaming is enabled and INN gets a NNTP "check" command WITHOUT a
following space/tab and message-id, it prints some memory dump to the
requestor.  In most cases, this can be reproduced but it depends on the
content of the memory what exactly will happen.

To reproduce, connect to a streaming enabled innd and send "check<CR>".

As a result some (more or less) random content of the memory is returned.
In most cases, this will be article fragments. But I had at least one case
returning some content of incoming.conf including the passwords specified in
this file in clear text! This makes this bug security relevant.

Patch follows below, Heiko.

Heiko Schlichting       | Freie Universitaet Berlin
heiko at FU-Berlin.DE      | Zentraleinrichtung fuer Datenverarbeitung (ZEDAT)
Telefon +49 30 838-4327 | Fabeckstrasse 32
Telefax +49 30 838-6721 | D-14195 Berlin
---------------------------------------------------------------------------
--- innd/nc.c.org	Fri Oct  1 20:00:55 1999
+++ innd/nc.c	Mon Oct  4 03:49:40 1999
@@ -1280,7 +1280,7 @@
 
     cp->Check++;
     /* Snip off the Message-ID. */
-    for (p = cp->In.Data; !ISWHITE(*p); p++)
+    for (p = cp->In.Data; *p && !ISWHITE(*p); p++)
 	continue;
     for ( ; ISWHITE(*p); p++)
 	continue;


More information about the inn-bugs mailing list