playing buffer overflows on inn

[Thomas.Roessler () SOBOLEV RHEIN DE (Thomas Roessler)]

[part of this mail was already sent to the redhat-users list, part wasn't.]

On Feb 18 1997, Erik Troan wrote:

> There is a major security hole in recent versions of INN which allow
> users to gain root access on your systems running them.  All users of Red
> Hat 4.0 and Red Hat 4.1 are urged to upgrade to the inn-1.5.1-3 package
> available from ftp.redhat.com. The same package will work on both 4.0
> and 4.1 systems, and is available from ftp.redhat.com in /updates/4.0
> and /updates/4.1. Users with direct Internet connections can upgrade
> with one of the following commands:

This description is rather unclear.  After some search in the sources of
1.4u4, it seems to me that the relevant change in 1.5.1 is changing

        case 'S':
            master = optarg;
            break;

(like it is in 1.4u4) to

        case 'S':
            if (strlen(optarg) >= SMBUF - 4)
                   Usage();
            master = optarg;
            break;


(like it is in 1.5.1) in innd/innd.c since `master' will be used in an
sprintf() statement later (to precise, in rc.c).  There are some other
changes in putting together certain strings from inn.conf values, it's done
with much more care; I didn't check for any overflows there.  Maybe there
are ways for news to gain root access if inn is installed suid root.


In addition, the TZ environment variable has write access to the stack in
inndstart, just have a look at the last sprintf() in innd/inndstart.c.  It
should be possible to exploit this to execute arbitrary commands under the
news ID - luckily, root privileges have been given up completely at this
point.  (1.4u4 and 1.5.1).


Yet another buffer overflow can be found in the inews program which runs
sgid news on many installations.  Breaking this gid can mean injecting news
without inews' control or accessing the news system's configuration file:
Iff inews.c is compiled with DONT_MUNGE_GECOS, innd does

            (void)strcpy(outbuff, pwp->pw_gecos);

with a fixed-size local buffer outbuff.  (1.4u4 and 1.5.1).


When trying to cancel an article, inews first compares the article's sender
to the local user name.  In order to do so, we have the following code:

    while (fgets(buff, sizeof buff, FromServer) != NULL) {
        if ((p = strchr(buff, '\r')) != NULL)
                *p = '\0';
        if ((p = strchr(buff, '\n')) != NULL)
                *p = '\0';
        if (buff[0] == '.' && buff[1] == '\0')
                break;
        if (EQn(buff, "Sender:", 7))
                (void)strcpy(remotefrom, TrimSpaces(&buff[7]));
        else if (remotefrom[0] == '\0' && EQn(buff, "From:", 5))
                (void)strcpy(remotefrom, TrimSpaces(&buff[5]));
    }

(identical in 1.5.1 and 1.4u4).  remotefrom is a local buffer of a size of
SMBUF.  SMBUF is configured in config data:

        ##  A general small buffer.
        #### =()<SMBUF                  @<SMBUF>@>()=
        SMBUF                   256

- while buff is BUFFSIZ bytes long, on my system that's e.g. 1024 bytes.

The overflow should be obvious.  At least, it's a configuration option.

tlr
--
Thomas Roessler · 74a353cc0b19 · We did it. · http://home.pages.de/~roessler/