4257916 1999-08-29 07:10 /54 rader/ Postmaster Mottagare: Bugtraq (import) <7511> Ärende: INN inews vulnerability ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@securityfocus.com MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14279.1624.776848.500278@velo.jab.fr> Date: Fri, 27 Aug 1999 23:43:53 +0200 Reply-To: brister@VIX.COM Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: brister@VIX.COM X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM INN versions 2.2 and earlier have a buffer overflow-related security condition in the inews program. inews is a program used to inject new postings into the news system. It is used by many news reading programs and scripts. The default installation is with inews setgid to the news group and world executable. It's possible that exploiting the buffer overflow could give the attacker news group privileges, which could possibly be extended to root access. No case of this being exploited has been shown yet. If you run a news server with no local readers (i.e. all your clients are remote) then you can remove the setgid-bit on inews. chmod 0550 inews The rnews program, used to feed news via uucp, is setuid to the uucp user. No buffer overflow problems have been found in rnews, but if you don't run uucp on your machine, then we recommend disabling the setuid bit on rnews: chown news rnews chgrp news rnews chmod 0550 rnews A fuller description can be found at http://www.isc.org/view.cgi?products/INN/inn2.2.vulnerability.phtml The latest INN version 2.2.1 ftp://ftp.isc.org/isc/inn/inn-2.2.1.tar.gz has the buffer overflow problem fixed. Upgrading is recommended, if you cannot disable the inews setgid bit. James -- James Brister brister@vix.com Internet Software Consortium (4257916) -----------------------------------