Bugtraq mailing list archives
playing buffer overflows on inn
From: Thomas.Roessler () SOBOLEV RHEIN DE (Thomas Roessler)
Date: Wed, 19 Feb 1997 12:11:27 +0100
[part of this mail was already sent to the redhat-users list, part wasn't.] On Feb 18 1997, Erik Troan wrote:
There is a major security hole in recent versions of INN which allow users to gain root access on your systems running them. All users of Red Hat 4.0 and Red Hat 4.1 are urged to upgrade to the inn-1.5.1-3 package available from ftp.redhat.com. The same package will work on both 4.0 and 4.1 systems, and is available from ftp.redhat.com in /updates/4.0 and /updates/4.1. Users with direct Internet connections can upgrade with one of the following commands:
This description is rather unclear. After some search in the sources of 1.4u4, it seems to me that the relevant change in 1.5.1 is changing case 'S': master = optarg; break; (like it is in 1.4u4) to case 'S': if (strlen(optarg) >= SMBUF - 4) Usage(); master = optarg; break; (like it is in 1.5.1) in innd/innd.c since `master' will be used in an sprintf() statement later (to precise, in rc.c). There are some other changes in putting together certain strings from inn.conf values, it's done with much more care; I didn't check for any overflows there. Maybe there are ways for news to gain root access if inn is installed suid root. In addition, the TZ environment variable has write access to the stack in inndstart, just have a look at the last sprintf() in innd/inndstart.c. It should be possible to exploit this to execute arbitrary commands under the news ID - luckily, root privileges have been given up completely at this point. (1.4u4 and 1.5.1). Yet another buffer overflow can be found in the inews program which runs sgid news on many installations. Breaking this gid can mean injecting news without inews' control or accessing the news system's configuration file: Iff inews.c is compiled with DONT_MUNGE_GECOS, innd does (void)strcpy(outbuff, pwp->pw_gecos); with a fixed-size local buffer outbuff. (1.4u4 and 1.5.1). When trying to cancel an article, inews first compares the article's sender to the local user name. In order to do so, we have the following code: while (fgets(buff, sizeof buff, FromServer) != NULL) { if ((p = strchr(buff, '\r')) != NULL) *p = '\0'; if ((p = strchr(buff, '\n')) != NULL) *p = '\0'; if (buff[0] == '.' && buff[1] == '\0') break; if (EQn(buff, "Sender:", 7)) (void)strcpy(remotefrom, TrimSpaces(&buff[7])); else if (remotefrom[0] == '\0' && EQn(buff, "From:", 5)) (void)strcpy(remotefrom, TrimSpaces(&buff[5])); } (identical in 1.5.1 and 1.4u4). remotefrom is a local buffer of a size of SMBUF. SMBUF is configured in config data: ## A general small buffer. #### =()<SMBUF @<SMBUF>@>()= SMBUF 256 - while buff is BUFFSIZ bytes long, on my system that's e.g. 1024 bytes. The overflow should be obvious. At least, it's a configuration option. tlr -- Thomas Roessler · 74a353cc0b19 · We did it. · http://home.pages.de/~roessler/
Current thread:
- playing buffer overflows on inn Thomas Roessler (Feb 19)