Hi, I found several problems inside the inn (<=2.2.3) package as shipped with various Linux distributions. There are several format string coding bugs as well as unsecure open() calls. In particular the inews and the rnews binaries are affected. This may lead to serious security problems if those binaries are installed set-uid and are executable by any user. In the case of inews, obtaining uid news is possible (which can be further used to replace/trojan other system files like the binaries themselves), in the case of rnews, access to probably sensitive inn configuration files seems possible (like inn password hashes etc). The attached archive contains a short proof of concept code for one of the format string bugs (look in the inews.sh script for more details) in the inews binary. The code has been succesfully tested against SuSE 7.0 where inews and rnews are setuid news. Later distributions seems to use another security conecept - the binaries are either only setgid news or are not runnable by ordinary users. The exploitation is technically difficult - it requires a fake NNTP server setup somewhere (the code comes with the tar package). Note: this is NOT a remote exploit. Look at the code for more technical details. The code will create a setuid news shell. Vendors have been noticed more than 5 weeks ago. regards, /ih
This archive was generated by hypermail 2b30 : Thu Apr 11 2002 - 18:02:41 PDT