(not an) innfeed vulnerability
rra at stanford.edu
Thu Apr 12 16:08:58 UTC 2001
Enrique A Sanchez Montellano <enrique.sanchez at defcom.com> writes:
> Woohoo! took me a while since I have a lot of work but finally I came
> with the fix, it s aone liner and I made a .diff file so a patch can be
> easelly aplied. I attach the advisory in full so you can read it and
> tell me a date in wich you can have the system patched (Also an URL in
> wich the fix would be).
Well, I don't understand the point of your advisory, and yet again I would
like to repeat that this does not constitute a security hole. Issuing a
security advisory for it therefore doesn't make any sense.
I told you that if you found a security hole, we'd be happy to work with
you on an advisory, but this still isn't a security hole.
Thank you for the patch, though. It will be in the next release of INN,
since it does fix a quality of implementation issue.
> ----------------------=[Detailed Description]=------------------------
> Due to no bounds checking on the logOrPrint() function on the vsprint()
> a stack overflow occurs thus rendering the stack. The user then is able
> to gain news id, in wich he can the trojan binaries to gain further
> access to upgrade his priviledges.
How can he then further upgrade his privileges? I don't believe that this
is the case; please show me an example.
Furthermore, you can only get news UID if you already have news GID:
> nahual at shell:~$ ls -al /usr/lib/news/bin/startinnfeed
> -r-sr-x--- 1 root news 40796 Jun 14 2000 /usr/lib/news/bin/startinnfeed*
and there are innumerable other ways of getting news UID if you have news
GID if you're running INN 2.2. If you're running INN 2.3, your exploit
won't run unless you're *already* news UID, in which case the whole thing
is an extremely complicated way of spawning a new shell with your existing
I appreciate the work that you're trying to do here, but you need to make
sure that you have all of your facts accurate.
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the inn-bugs