inn-2.2 inews buffer overflow

Jeff King peff at dbd.com
Fri Aug 20 21:58:10 UTC 1999



	I have discovered a potential buffer overflow in frontends/inews.c
from the inn-2.2 release (I also grabbed the nightly snapshot from
8/19/1999 -- the bug still appears to be present).  The issue is that
there is no bounds-checking on "from" headers given on the command line;
when copied into SMBUF-sized buffers, an overflow can occur and arbitrary
code can be executed.  I have included a patch against the 8/19 snapshot
which changes the offending strcpy()s to strncpy()s.  Another solution
would be to bounds-check the argument as it is pulled from optarg (which
might be a little saner -- checking data as it comes into the program
would save checking it *every* time it gets used).
	A malicious user, of course, only gets his egid set to the "news"
group by this. However, under many configurations (notably RedHat 6.0),
getting into the "news" group gives one execute permission on the
SUID-root inndstart, from which one can gain root through the INNCONF
environment variable (this was actually dealt with in a RH security update
which hardcoded the news user).  Regardless, one can still become the news
user in this fashion (by having the inn.conf file direct it to execute
arbitrary code rather than innd) -- from here, a variety of programs can
be trojanned, including inews itself.

Jeff King
DBD Group
http://www.dbd.com



-- Attached file included as plaintext by Listar --
-- File: inews.c.patch

--- inews.c	Mon Apr 26 04:40:44 1999
+++ inews.c.fix	Fri Aug 20 00:44:07 1999
@@ -356,7 +356,8 @@
     HeaderCleanFrom(remotefrom);
 
     /* Get the local user. */
-    (void)strcpy(localfrom, HDR(_sender) ? HDR(_sender) : HDR(_from));
+    (void)strncpy(localfrom, HDR(_sender) ? HDR(_sender) : HDR(_from), SMBUF);
+    localfrom[SMBUF - 1] = '\0';
     HeaderCleanFrom(localfrom);
 
     /* Is the right person cancelling? */
@@ -597,7 +598,8 @@
 	HDR(_from) = FormatUserName(pwp, p);
     else {
       (void)sprintf(buff, "%s@%s", pwp->pw_name, p);
-      (void)strcpy(from, HDR(_from));
+      (void)strncpy(from, HDR(_from), SMBUF);
+      from[SMBUF - 1] = '\0';
       HeaderCleanFrom(from);
       if (!EQ(from, buff))
         HDR(_sender) = COPY(buff);



More information about the inn-workers mailing list