OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Paul Starzetz (paulstarzetz.de)
Date: Thu Apr 11 2002 - 13:22:01 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    I found several problems inside the inn (<=2.2.3) package as shipped
    with various Linux distributions. There are several format string coding
    bugs as well as unsecure open() calls. In particular the inews and the
    rnews binaries are affected. This may lead to serious security problems
    if those binaries are installed set-uid and are executable by any user.
    In the case of inews, obtaining uid news is possible (which can be
    further used to replace/trojan other system files like the binaries
    themselves), in the case of rnews, access to probably sensitive inn
    configuration files seems possible (like inn password hashes etc).

    The attached archive contains a short proof of concept code for one of
    the format string bugs (look in the inews.sh script for more details) in
    the inews binary. The code has been succesfully tested against SuSE 7.0
    where inews and rnews are setuid news. Later distributions seems to use
    another security conecept - the binaries are either only setgid news or
    are not runnable by ordinary users. The exploitation is technically
    difficult - it requires a fake NNTP server setup somewhere (the code
    comes with the tar package). Note: this is NOT a remote exploit. Look at
    the code for more technical details. The code will create a setuid news
    shell.

    Vendors have been noticed more than 5 weeks ago.

    regards,

    /ih