Buffer overflow in inndstart

Forrest J. Cavalier III mibsoft at mibsoftware.com
Tue Sep 7 03:57:52 UTC 1999

Stan Bubrouski <SB at MailAndNews.com> reported the following
to inn-bugs at isc.org on September 6, 1999.

> Subject:       Buffer overflow in inndstart
> There is a buffer overflow in the inndstart or maybe in innd I'm not sure 
> which.  The overflow occurs when the variable BIND_INADDR supplied to 
> inndstart is about 9200 chars or more long. IT is an overflow, but since most
> people configure inndstart to be only run by root it may not be too bad of
> security threat, although anyone who installed INN by hand may incorrectly install
> it suid root and executable by all (it happens!). I tried this on INN-1.7.2 on
> RedHat Linux 5.2, kernel 2.0.36.  I looked at the code and there is no bounds
> checking when BIND_INADDR is read by inndstart and inn. Just thought I'd let you
> know in case it is an exploitable overflow. If you run an adviso please give me
> credit.

Further note that TZ is copied from the environment using the same method as

It looks exploitable to me also if (as Stan Bubrouski points out)
the SUID root inndstart is installed in a non-protected directory.

Severity:   At the point of the buffer overflow, the UID and GID are already
            set to NewsUID and NewsGID, so this is not a root exploit in any

Versions affected:  The unsafe buffer copy exists in inndstart.c in
                    INN2.x and INN1.x, at least back to INN1.5.1.

Corrective action: make sure the inndstart binary is in a directory
                   readable only by user news.

Safe code, which logs attempts, would be similar to:

  (void)sprintf(buff, "BIND_INADDR=")
  if (strlen(p) > sizeof(buff)-strlen(buf)-1) {
      syslog(L_FATAL, "inndstart cant copy BIND_INADDR");

(Alternatively a strncat() with store of '\0' would silently truncate
while preventing the overflow.)  I'd prefer the attempt was logged.

Forrest J. Cavalier III, Mib Software, INN customization and
consulting 'Pay-as-you-go' commercial support for INN: Only $64/hour!
Searchable hypertext INN docs, FAQ, RFCs, etc: 650+ pages: 

More information about the inn-workers mailing list