innfeed vulnerability

Enrique A. Sanchez Montellano enrique.sanchez at defcom.com
Fri Mar 23 10:39:16 UTC 2001 




Russ Allbery wrote:

> -c is provided by the user, who's already trusted to execute things as the
> user that innfeed runs as.  I don't see how this is possibly exploitable.
> I would certainly welcome a patch to fix that sort of buffer overflow, but
> it's not a security issue.  startinnfeed doesn't do any option parsing of
> its own and has already dropped privileges irrevocably by the time innfeed
> is executed.

Well if I overflow innfeed I get my own shell since is not suid ... so 
startinnfeed is giving suid to innfeed that's why I use startinnfeed in 
the overflow ... =)

> Something similar to this was reported to BUGTRAQ a while back, and I
> responded with some analysis there and an explanation of why I didn't
> think this was a security issue.  No one has yet disagreed with me or
> produced any evidence to change that.

Sorry I checked and not bug was reported on securityfocus so I tought 
this escaped you ...

> You became news.  So?  You can do that with su.

on some systems startinnfeed is exectuable to everyone then I would be 
abel to up my privs I guess ...

> In order to prove a security vulnerability, you have to gain elevated
> privileges.  The exploit is completely meaningless when you're running it
> as root to begin with.

I understand that ... but in some systems startinnfeed is executable to 
everyone, bad administration I know but can lead to news compromise then.

> 
> It is possible, using startinnfeed in older versions of INN, to obtain
> news UID access if you already have news GID access.  This is why only
> trusted users who have legitimate access to the news account should be in
> the news group, but this is a long-known limitation of the way INN handles
> groups.  This has nonetheless been closed off more thoroughly in current
> versions of INN.
> 
I have Slack 7.1 and the exploit works great ... I'm sorry to disturb 
you, thank you for your time. I fully understand that this might no be 
exploitable on normal settings, just tought you might want to know. =)

Enrique A. Sanchez Montellano (El Nahual)
Chief Technical Officer Defcom Spain
+(34) 651 134492

More information about the inn-bugs mailing list