6388193 2001-04-18 23:01 -0700  /99 rader/ Russ Allbery <rra@STANFORD.EDU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-20  04:35  av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: rra@STANFORD.EDU
Mottagare: Bugtraq (import) <16657>
Kommentar till text 6380751 av Enrique A. Sanchez Montellano <enrique.sanchez@DEFCOM.COM>
Ärende: Re: Innfeed Buffer Overflow
------------------------------------------------------------
From: Russ Allbery <rra@STANFORD.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <ylae5dbf7u.fsf@windlord.stanford.edu>

Some clarifications.  This exploit will not affect most installed INN
systems, and is, in my opinion, *primarily* a documentation issue
(although there are indeed security issues, the main one of which has
already been addressed in current versions of INN).

If you have users other than the news user in the news group on a
system with INN installed, this issue affects you; read on.  If you
don't, this issue does not (unless you somehow have a misinstalled
startinnfeed).

Enrique A Sanchez Montellano <enrique.sanchez@DEFCOM.COM> writes:

> ======================================================================
>                  Defcom Labs Advisory def-2001-19
>                 innfeed buffer overflow

This affects versions of INN prior to INN 2.3.0.  startinnfeed was
rewritten in INN 2.3.0 and will no longer execute unless run as the
news user (the only user to which it will then setuid() to), making
buffer overflows in innfeed irrelevant from a security standpoint.

This particular buffer overflow is nonetheless fixed as a quality of
implementation issue in the current CVS tree and that fix will be in
the next release (in a different way than the patch provided in this
advisory, since the change recommended in this advisory required
vsnprintf).

> Due to no bounds checking on the innfeed program a buffer overflow
> occurs while using the -c flag, thus rendering complete control of the
> stack. And rendering news uid and gid.

A whole bunch of details are missing here.  Let me try to fill them
in:

  INN installs a wrapper for innfeed that is setuid root called
  startinnfeed; this wrapper raises resource limits and then
  immediately calls setuid to the news user before execing innfeed.
  This wrapper is installed with permissions 4710, executable by
  group news.  This wrapper does not have a buffer overflow exploit,
  but it does execute innfeed with the provided arguments, and it's
  possible to overflow a buffer in innfeed itself by passing it
  extremely long command-line arguments (in all versions of INN prior
  to the current CVS version).

  In versions of INN prior to INN 2.3.0, the wrapper was executable by
  anyone in the news group, and therefore this exploit can be used to
  obtain access to the news UID if one already has access to the news
  GID.

Now, long-time users of INN may not be particularly surprised by
this, as INN has *always* trusted the users who are part of the news
group.  By default (for quite some time; as long as I've been running
news, at the least) INN installed all of its configuration files
group-writeable, with the assumption that members of the news group
are the news administrators, who would have access to the news
account anyway.  Obviously, with group-writeable configuration files,
there are a wide variety of ways to elevate news GID access to news
UID access without requiring buffer overflows.

The correct fix is to not put anyone in the news group who does not
also have access to the news UID.  This assumption was *not* clearly
documented in the INSTALL guide; it is now in CVS, and I appreciate
this oversight being pointed out.

INN 2.4.0 when released will probably *not* continue the policy of
installing configuration files group-writeable by default, since I
don't believe that this is the way most news servers are configured
these days.

> The user then is able to gain news id, in wich he can the trojan
> binaries to gain further access to upgrade his priviledges.

There is no additional exploit that would allow one to upgrade
privileges further.  The above observation simply points out that if
you have access to the news account, and if root regularly runs
binaries owned by news, you can obtain access to root.

Obviously, root should not be executing binaries owned by users other
than root, for precisely this reason.  A default installation of INN
does not put any of the INN binaries on root's path, and the
installation instructions specifically recommend against running any
portion of the news system as root.

> ---innfeed-overflow.patch---
> 210c210
> <       vsprintf (buffer,fmt,ap) ;
> ---
> >       vsnprintf (buffer,512,fmt,ap) ;
> ---innfeed-overflow.patch---

This patch applies to innfeed/misc.c.

My apologies for not getting back to the original sender of this
message in time with the above additional clarifications; I was under
the impression the advisory wasn't going to be sent out until
tomorrow.

--
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>
(6388193) /Russ Allbery <rra@STANFORD.EDU>/(Ombruten)
6388194 2001-04-18 20:44 +0200  /39 rader/ Hugo van der Kooij <hvdkooij@VANDERKOOIJ.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-20  04:41  av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: hvdkooij@VANDERKOOIJ.ORG
Mottagare: Bugtraq (import) <16658>
Kommentar till text 6380751 av Enrique A. Sanchez Montellano <enrique.sanchez@DEFCOM.COM>
Ärende: Re: Innfeed Buffer Overflow
------------------------------------------------------------
From: Hugo van der Kooij <hvdkooij@VANDERKOOIJ.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.33.0104182041120.2750-100000@hvdkooij.xs4all.nl>

On Wed, 18 Apr 2001, Enrique A. Sanchez Montellano wrote:

> ======================================================================
>                  Defcom Labs Advisory def-2001-19
>
>                 innfeed buffer overflow

...

> ------------------------=[Affected Systems]=--------------------------
> Linux:
>    Slackware 7.1 and older versions.
>    Mandrake 7.0 and older versions.
>    RedHat 7.2 and older versions.

Pardon me for noting that Red Hat Linux 7.1 is just out now. So how
can you know allready that Red Hat Linux 7.2 is vunerable?

Mandrake 7.1 is about for some time now. Is it vunerable?

If you must mention the distributions then make sure you get them
right.

Hugo.

-- Alle email aan mij verzonden is gebonden aan de regels beschreven
op mijn homepage.  All email send to me is bound to the rules
described on my homepage.

    Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
    hvdkooij@vanderkooij.org		http://hvdkooij.xs4all.nl/

	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.
(6388194) /Hugo van der Kooij <hvdkooij@VANDERKOOIJ.ORG>/(Ombruten)