Inn (Inter Net News) security problems

[Paul Starzetz <paul () starzetz de>]

Hi,

I found several problems inside the inn (<=2.2.3) package as shipped
with various Linux distributions. There are several format string coding
bugs as well as unsecure open() calls. In particular the inews and the
rnews binaries are affected. This may lead to serious security problems
if those binaries are installed set-uid and are executable by any user.
In the case of inews, obtaining uid news is possible (which can be
further used to replace/trojan other system files like the binaries
themselves), in the case of rnews, access to probably sensitive inn
configuration files seems possible (like inn password hashes etc).

The attached archive contains a short proof of concept code for one of
the format string bugs (look in the inews.sh script for more details) in
the inews binary. The code has been succesfully tested against SuSE 7.0
where inews and rnews are setuid news. Later distributions seems to use
another security conecept - the binaries are either only setgid news or
are not runnable by ordinary users. The exploitation is technically
difficult - it requires a fake NNTP server setup somewhere (the code
comes with the tar package). Note: this is NOT a remote exploit. Look at
the code for more technical details. The code will create a setuid news
shell.

Vendors have been noticed more than 5 weeks ago.

regards,

/ih

Attachment: innexpl.tar.gz
Description: