Buffer overflow in inndstart

Stan Bubrouski SB at MailAndNews.com
Mon Sep 6 18:47:02 UTC 1999


There is a buffer overflow in the inndstart or maybe in innd I'm not sure 
which.  The overflow occurs when the variable BIND_INADDR supplied to 
inndstart is about 9200 chars or more long. IT is an overflow, but since most 
people configure inndstart to be only run by root it may not be too bad of 
security threat, although anyone who installed INN by hand may incorrectly 
install it suid root and executable by all (it happens!). I tried this on 
INN-1.7.2 on RedHat Linux 5.2, kernel 2.0.36.  I looked at the code and there 
is no bounds checking when BIND_INADDR is read by inndstart and inn. Just 
thought I'd let you know in case it is an exploitable overflow. If you run an 
adviso please give me credit.


-Stan Bubrouski

P.S. The code is ugly, hehe right above the code the comment says /* Linux 
Ugliness */ ;) it's an easy fix though.

------------------------------------------------------------
Stan Bubrouski
SB at mailandnews.com
------------------------------------------------------------



More information about the inn-bugs mailing list