Buffer overflow in inndstart
Forrest J. Cavalier III
mibsoft at mibsoftware.com
Tue Sep 7 03:57:52 UTC 1999
Stan Bubrouski <SB at MailAndNews.com> reported the following
to inn-bugs at isc.org on September 6, 1999.
> Subject: Buffer overflow in inndstart
> There is a buffer overflow in the inndstart or maybe in innd I'm not sure
> which. The overflow occurs when the variable BIND_INADDR supplied to
> inndstart is about 9200 chars or more long. IT is an overflow, but since most
> people configure inndstart to be only run by root it may not be too bad of
> security threat, although anyone who installed INN by hand may incorrectly install
> it suid root and executable by all (it happens!). I tried this on INN-1.7.2 on
> RedHat Linux 5.2, kernel 2.0.36. I looked at the code and there is no bounds
> checking when BIND_INADDR is read by inndstart and inn. Just thought I'd let you
> know in case it is an exploitable overflow. If you run an adviso please give me
> credit.
>
Further note that TZ is copied from the environment using the same method as
BIND_INADDR.
It looks exploitable to me also if (as Stan Bubrouski points out)
the SUID root inndstart is installed in a non-protected directory.
Severity: At the point of the buffer overflow, the UID and GID are already
set to NewsUID and NewsGID, so this is not a root exploit in any
case.
Versions affected: The unsafe buffer copy exists in inndstart.c in
INN2.x and INN1.x, at least back to INN1.5.1.
Corrective action: make sure the inndstart binary is in a directory
readable only by user news.
Safe code, which logs attempts, would be similar to:
(void)sprintf(buff, "BIND_INADDR=")
if (strlen(p) > sizeof(buff)-strlen(buf)-1) {
syslog(L_FATAL, "inndstart cant copy BIND_INADDR");
exit(1);
}
strcat(buff,p);
(Alternatively a strncat() with store of '\0' would silently truncate
while preventing the overflow.) I'd prefer the attempt was logged.
Forrest J. Cavalier III, Mib Software, INN customization and
consulting 'Pay-as-you-go' commercial support for INN: Only $64/hour!
Searchable hypertext INN docs, FAQ, RFCs, etc: 650+ pages:
http://www.mibsoftware.com/innsup.htm
More information about the inn-workers
mailing list