innfeed vulnerability

Russ Allbery rra at stanford.edu
Fri Mar 23 11:36:24 UTC 2001



Enrique A Sanchez Montellano <enrique.sanchez at defcom.com> writes:
> Russ Allbery wrote:

>> Then those systems are broken and I strongly encourage you to report a
>> bug against the packagers of INN for those systems.  INN itself never
>> installs startinnfeed that way, and doing so does indeed open a large
>> security hole.  (You don't even need buffer overflows in innfeed to
>> exploit that security hole; it's trivial to get startinnfeed to execute
>> any program you want.)

> Point taken, now in my mind I'm just thinking how you would do that but
> that is something I'll try to find out on my own. Heh

Take a look at inndstart in a current verison of INN (2.3.1); I document
exactly how the security model works.

>> startinnfeed must only be executable by members of the news group.

> Ok, I shall try to see if I can manage to get root (I'm pretty shure I
> won't but at least I'll die trying ;-P...), in case I do or don't would
> you mind me making a patch for it and sending it to you?

I'd gladly welcome a patch for that buffer overflow regardless of whether
it's exploitable or not.  *grin*  Thank you!

> then releasing an advisory?

Sure.  I think that if Slackware is shipping startinnfeed world-executable
and still setuid root, that deserves an advisory; you may want to give
them a head's-up first, though, if they're doing that.

If you find a security hole in INN, we'll also issue our own advisory, but
I have no objections to you issuing one as well.  Our *preference* would
be, if you find a security hole, that you could give us time to patch it
and then a day after that before announcing anything, since that will mean
there's a snapshot available with the fix incorporated for people to
upgrade to.

> I know I'm a pain but I want to contribute I like your program, I think
> is great and want to make it more secure and better. I hope you don't
> mind.

Thanks!  I don't mind at all.  :)

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the inn-bugs mailing list