Buffer overflow in inndstart

Forrest J. Cavalier III mibsoft at mibsoftware.com
Tue Sep 7 03:57:52 UTC 1999


Stan Bubrouski <SB at MailAndNews.com> reported the following
to inn-bugs at isc.org on September 6, 1999.

> Subject:       Buffer overflow in inndstart
> There is a buffer overflow in the inndstart or maybe in innd I'm not sure 
> which.  The overflow occurs when the variable BIND_INADDR supplied to 
> inndstart is about 9200 chars or more long. IT is an overflow, but since most
> people configure inndstart to be only run by root it may not be too bad of
> security threat, although anyone who installed INN by hand may incorrectly install
> it suid root and executable by all (it happens!). I tried this on INN-1.7.2 on
> RedHat Linux 5.2, kernel 2.0.36.  I looked at the code and there is no bounds
> checking when BIND_INADDR is read by inndstart and inn. Just thought I'd let you
> know in case it is an exploitable overflow. If you run an adviso please give me
> credit.
> 

Further note that TZ is copied from the environment using the same method as
BIND_INADDR.

It looks exploitable to me also if (as Stan Bubrouski points out)
the SUID root inndstart is installed in a non-protected directory.

Severity:   At the point of the buffer overflow, the UID and GID are already
            set to NewsUID and NewsGID, so this is not a root exploit in any
            case.



Versions affected:  The unsafe buffer copy exists in inndstart.c in
                    INN2.x and INN1.x, at least back to INN1.5.1.


Corrective action: make sure the inndstart binary is in a directory
                   readable only by user news.

Safe code, which logs attempts, would be similar to:

  (void)sprintf(buff, "BIND_INADDR=")
  if (strlen(p) > sizeof(buff)-strlen(buf)-1) {
      syslog(L_FATAL, "inndstart cant copy BIND_INADDR");
      exit(1);
  }
  strcat(buff,p);

(Alternatively a strncat() with store of '\0' would silently truncate
while preventing the overflow.)  I'd prefer the attempt was logged.

Forrest J. Cavalier III, Mib Software, INN customization and
consulting 'Pay-as-you-go' commercial support for INN: Only $64/hour!
Searchable hypertext INN docs, FAQ, RFCs, etc: 650+ pages: 
   http://www.mibsoftware.com/innsup.htm 


More information about the inn-workers mailing list