6084917 2001-02-12 15:46 +0100  /58 rader/ Paul Starzetz <paul@STARZETZ.DE>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-12  21:30  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: paul@STARZETZ.DE
Mottagare: Bugtraq (import) <15367>
Ärende: Format string bug in startinnfeed
------------------------------------------------------------
From: Paul Starzetz <paul@STARZETZ.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3A87F747.FBBB6E52@starzetz.de>

1. Description
--------------

The 'startinnfeed' binary contains various format string bugs. Most of
the command line options passes user given arguments to 'syslog()' as
format string. For example:

paul@ps:/usr/home/paul > /usr/lib/news/bin/startinnfeed  -a
"%x%x%n%n%n%n%n%n%n"
segmentation fault
paul@ps:/usr/home/paul > /usr/lib/news/bin/startinnfeed  -b
"%x%x%n%n%n%n%n%n%n"
Mon Feb 12 15:37:01 2001 innfeed: Not a directory: %x%x%n%n%n%n%n%n%n

segmentation fault
paul@ps:/usr/home/paul > /usr/lib/news/bin/startinnfeed  -c
"%x%x%n%n%n%n%n%n%n"
segmentation fault
paul@ps:/usr/home/paul >


The vulnerable package is

Name        : inn
Version     : 2.2.2
Release     : 132
Group       : Networking/Daemons
Size        : 5764682
Summary     : Inter Net News
Description :
Build Date  : Mit 20 Sep 2000 20:02:52 CEST
Source RPM  : inn-2.2.2-132.src.rpm

Rich Salz's InterNetNews news transport system.


2. Impact
---------

It may be possible to obtain elevated priviledges on vulnerable
machines usually uid=0.  As far as I saw it on SuSE, startinnfeed is
not marked executable for any user, only for the members of the news
group (and root of course).  So assuming that some user is able to
elevate his priviledges and gain gid=news, it may be possible to
obtain uid=0 as well.



3. Solution
------------

Quick fix: chmod u-s /usr/lib/news/bin/startinnfeed
(6084917) --------------------------------(Ombruten)
6086253 2001-02-12 14:55 -0800  /63 rader/ Russ Allbery <rra@STANFORD.EDU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-13  04:40  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: rra@STANFORD.EDU
Mottagare: Bugtraq (import) <15397>
Kommentar till text 6084917 av Paul Starzetz <paul@STARZETZ.DE>
Ärende: Re: Format string bug in startinnfeed
------------------------------------------------------------
From: Russ Allbery <rra@STANFORD.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <yl8znb4ikz.fsf@windlord.stanford.edu>

I love the notification that you gave to the INN developers about
this problem (namely, absolutely none at all).  If you'd mailed us
first, I could have pointed out to you that innfeed does no argument
parsing of its own and just execs innfeed with the passed arguments,
which at the least would have made your notice more accurate.

So far as I can tell, all of the below:

Paul Starzetz <paul@STARZETZ.DE> writes:

> paul@ps:/usr/home/paul > /usr/lib/news/bin/startinnfeed  -a
> "%x%x%n%n%n%n%n%n%n"
> segmentation fault
> paul@ps:/usr/home/paul > /usr/lib/news/bin/startinnfeed  -b
> "%x%x%n%n%n%n%n%n%n"
> Mon Feb 12 15:37:01 2001 innfeed: Not a directory: %x%x%n%n%n%n%n%n%n

> segmentation fault
> paul@ps:/usr/home/paul > /usr/lib/news/bin/startinnfeed  -c
> "%x%x%n%n%n%n%n%n%n"
> segmentation fault

are actually segfaults in innfeed itself.  While that's definitely
sloppy code, it doesn't pose a security risk that I can see; innfeed
runs as the news user and only the news user should be capable of
running startinnfeed in the first place.  (If this is not the case,
please report this to your distribution packager as a packaging
error; startinnfeed should be owned by root:news, mode 4550, and the
only member of the news group should be the news user.)

If you see a security vulnerability here, I would very much appreciate
enlightenment.  It's always possible that I've missed something.

> The vulnerable package is
>
> Name        : inn
> Version     : 2.2.2

INN 2.2.2 is no longer supported (the current release is INN 2.3.1,
which has among other things a rewrite of startinnfeed), but after
reviewing the code in startinnfeed in INN 2.2.2 after seeing your
message I don't see anywhere where that version is passing user data
to syslog as a format string.  There is only one occurance of *printf
in startinnfeed.c in INN 2.2.2 and it uses inn.conf data and a
compile-time constant.

If I've overlooked something, I'd quite certainly welcome a more
complete bug report.

Note that the sole utility of startinnfeed is to increase system file
descriptor and data limits for innfeed.  If you've already taken care
of this via other means, you can safely change newsfeeds to run
innfeed directly and remove startinnfeed from your system.  If
startinnfeed makes you nervous for whatever reason, removing the
setuid bit is completely harmless for most configurations (probably
all small or hobby servers).

--
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>
(6086253) --------------------------------(Ombruten)