innfeed vulnerability

Russ Allbery rra at stanford.edu
Fri Mar 23 10:27:46 UTC 2001 


Enrique A Sanchez Montellano <enrique.sanchez at defcom.com> writes:

> More technical detail:

> + innfeed on the -c switch has no bounds checking and has a buffer of
> 462 (no code read yet just did a binary structured disassembly for a
> paper I'm doing) so by using 470 chars you get control of the stack.

-c is provided by the user, who's already trusted to execute things as the
user that innfeed runs as.  I don't see how this is possibly exploitable.
I would certainly welcome a patch to fix that sort of buffer overflow, but
it's not a security issue.  startinnfeed doesn't do any option parsing of
its own and has already dropped privileges irrevocably by the time innfeed
is executed.

Something similar to this was reported to BUGTRAQ a while back, and I
responded with some analysis there and an explanation of why I didn't
think this was a security issue.  No one has yet disagreed with me or
produced any evidence to change that.

Your exploit log is not evidence of any sort of security vulnerability:

> root at shell:~/projects/overflows/startinnfeed# id
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)

You started as root.

> root at shell:~/projects/overflows/startinnfeed# ./x-innfeed
> [ + ] innfeed buffer overflow (passed to startinnfeed) [ + ]
> ------------------------------------------------------------
> [ + ] Found by:

> [ + ] Alex Hernandez (alex.hernandez at defcom.com)
> [ + ] Enrique Sanchez (@defcom.com ... Yes is just @defcom.com)
> [ + ] Defcom Labs @ Spain ....
> [ + ] Coded by Enrique A. Sanchez Montellano (El Nahual)

> [ + ] Using address 0xbffff7f4
> [ + ] Starting exploitation ...

> bash$ id
> uid=9(news) gid=13(news)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)

You became news.  So?  You can do that with su.

In order to prove a security vulnerability, you have to gain elevated
privileges.  The exploit is completely meaningless when you're running it
as root to begin with.

It is possible, using startinnfeed in older versions of INN, to obtain
news UID access if you already have news GID access.  This is why only
trusted users who have legitimate access to the news account should be in
the news group, but this is a long-known limitation of the way INN handles
groups.  This has nonetheless been closed off more thoroughly in current
versions of INN.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the inn-bugs mailing list