Buffer overflow in inndstart
Stan Bubrouski
SB at MailAndNews.com
Mon Sep 6 18:47:02 UTC 1999
There is a buffer overflow in the inndstart or maybe in innd I'm not sure
which. The overflow occurs when the variable BIND_INADDR supplied to
inndstart is about 9200 chars or more long. IT is an overflow, but since most
people configure inndstart to be only run by root it may not be too bad of
security threat, although anyone who installed INN by hand may incorrectly
install it suid root and executable by all (it happens!). I tried this on
INN-1.7.2 on RedHat Linux 5.2, kernel 2.0.36. I looked at the code and there
is no bounds checking when BIND_INADDR is read by inndstart and inn. Just
thought I'd let you know in case it is an exploitable overflow. If you run an
adviso please give me credit.
-Stan Bubrouski
P.S. The code is ugly, hehe right above the code the comment says /* Linux
Ugliness */ ;) it's an easy fix though.
------------------------------------------------------------
Stan Bubrouski
SB at mailandnews.com
------------------------------------------------------------
More information about the inn-bugs
mailing list