innfeed vulnerability

Enrique A. Sanchez Montellano enrique.sanchez at
Fri Mar 23 09:48:01 UTC 2001

More technical detail:

+ innfeed on the -c switch has no bounds checking and has a buffer of  
462 (no code read yet just did a binary structured disassembly for a 
paper I'm doing) so by using 470 chars you get control of the stack.

--- logs of xploit ---
root at shell:~/projects/overflows/startinnfeed# ls -al 
-r-xr-x---   1 news     news       213124 Jun 14  2000 
root at shell:~/projects/overflows/startinnfeed# ls -al 
-r-sr-x---   1 root     news        40796 Jun 14  2000 
root at shell:~/projects/overflows/startinnfeed# id
uid=0(root) gid=0(root) 
root at shell:~/projects/overflows/startinnfeed# ./x-innfeed
[ + ] innfeed buffer overflow (passed to startinnfeed) [ + ]
[ + ] Found by:

[ + ] Alex Hernandez (alex.hernandez at
[ + ] Enrique Sanchez ( ... Yes is just
[ + ] Defcom Labs @ Spain ....
[ + ] Coded by Enrique A. Sanchez Montellano (El Nahual)

[ + ] Using address 0xbffff7f4
[ + ] Starting exploitation ...

bash$ id
uid=9(news) gid=13(news) 
bash$ exit
root at shell:~/projects/overflows/startinnfeed#

--- logs xploit ---

The thing is that startinnfeed will start innfeed as root and pass all 
the stuff to it, I have not been able to check all the platforms you can 
find this and if you could tell me I would be gratefull since I want to 
make shure it works on all not to scare anyone without any specs. I'm 
working on an advisory and I have pulled down the code to see if I can 
help on the patch (should be something like strcpy() to strnpy() ... 
hopefully the program is great and huge!). I'm not really render on 
sending an unpublished exploit without PgP-ing it throught the internet, 
so if you want working code let me knoe please.

Enrique A. Sanchez Montellano (El Nahual)
Chief Technical Officer Defcom Madrid
+(34) 651 134492

More information about the inn-bugs mailing list