innfeed vulnerability
Enrique A. Sanchez Montellano
enrique.sanchez at defcom.com
Fri Mar 23 10:39:16 UTC 2001
Russ Allbery wrote:
> -c is provided by the user, who's already trusted to execute things as the
> user that innfeed runs as. I don't see how this is possibly exploitable.
> I would certainly welcome a patch to fix that sort of buffer overflow, but
> it's not a security issue. startinnfeed doesn't do any option parsing of
> its own and has already dropped privileges irrevocably by the time innfeed
> is executed.
Well if I overflow innfeed I get my own shell since is not suid ... so
startinnfeed is giving suid to innfeed that's why I use startinnfeed in
the overflow ... =)
> Something similar to this was reported to BUGTRAQ a while back, and I
> responded with some analysis there and an explanation of why I didn't
> think this was a security issue. No one has yet disagreed with me or
> produced any evidence to change that.
Sorry I checked and not bug was reported on securityfocus so I tought
this escaped you ...
> You became news. So? You can do that with su.
on some systems startinnfeed is exectuable to everyone then I would be
abel to up my privs I guess ...
> In order to prove a security vulnerability, you have to gain elevated
> privileges. The exploit is completely meaningless when you're running it
> as root to begin with.
I understand that ... but in some systems startinnfeed is executable to
everyone, bad administration I know but can lead to news compromise then.
>
> It is possible, using startinnfeed in older versions of INN, to obtain
> news UID access if you already have news GID access. This is why only
> trusted users who have legitimate access to the news account should be in
> the news group, but this is a long-known limitation of the way INN handles
> groups. This has nonetheless been closed off more thoroughly in current
> versions of INN.
>
I have Slack 7.1 and the exploit works great ... I'm sorry to disturb
you, thank you for your time. I fully understand that this might no be
exploitable on normal settings, just tought you might want to know. =)
Enrique A. Sanchez Montellano (El Nahual)
Chief Technical Officer Defcom Spain
+(34) 651 134492
More information about the inn-bugs
mailing list