![[LWN Logo]](/images/lwn.banner.gif)
Date: Tue, 11 May 1999 11:24:06 -0400
From: "Forrest J. Cavalier III" <mibsoft@MIBSOFTWARE.COM>
Subject: INN 2.0 and higher. Root compromise potential
To: BUGTRAQ@NETSPACE.ORG
Copyright 1999 Forrest J. Cavalier III, Mib Software
This information is provided by Mib Software, www.mibsoftware.com.
This notice can be distributed without limitation.
Summary:
--------
INN is open source NNTP (Usenet) server software from the Internet
Software Consortium. http://www.isc.org/
In some cases, there is potential for the local news user,
or any local user, to execute arbitrary code as root.
The two vulnerabilities reported below have already been
discussed in the Usenet newsgroup news.software.nntp.
Therefore, the vendor is being sent this notice now, and
was not notified previously.
INN is communications software. Mib Software knows of
no buffer overrun exploits of the affected versions of
INN, but the possibility cannot be ruled out. This would
be the only way a root compromise using a remote connection
would be possible.
Background:
-----------
Since NNTP defines a privileged port (119), a SUID root
wrapper, inndstart, binds to the port, and then is
intended to drop root privileges, setting the UID to user
news before exec() innd. In some cases, this behavior
can be altered to gain privileges.
------------------------------------------------------------
Vulnerability 1 (pathrun should not be trusted information)
------------------------------------------------------------
Summary: It is possible for the news user to control the behavior
of the inndstart program so that root privileges are not
dropped, and execute arbitrary programs as root.
Versions affected: INN 2.0 and higher.
Versions not affected: INN 1.7.2 and lower.
Details: inndstart determines the target UID and GID from
the UID and GID of a directory which is normally owned
by user news, group news. The directory which is checked
can be changed be editing the "pathrun" parameter
in the inn.conf configuration file.
By specifying a directory with appropriate ownership, inndstart
can exec() running as any user, including root.
During the course of normal operation, innd forks() and executes
many child processes, and it is relatively simple to run arbitrary code
from innd.
Solution: modify the source file innd/inndstart.c to use a
hard coded pathrun, instead of the structure member
innconf->pathrun.
Workaround: There is no workaround. The source must be modified.
------------------------------------------------------------------
Vulnerability 2 (inndstart should be protected,
INNCONF environment variable should not be trusted.)
------------------------------------------------------------------
Versions affected: INN 2.x after July 9, 1998 (including INN 2.1
and higher.)
Versions not affected: INN 1.7.2 and lower.
Details: Normally, the SUID root program inndstart, should be
in a directory accessible only by user news. In some
installations, this program is accessible to all local users.
On July 9, 1998 a source code change was introduced which
obtains the path of the configuration file from the environment
variable INNCONF. In those installations with inndstart
accessible to local users, a local user can set INNCONF in the
environment and determine the behavior of inndstart
so that abitrary programs are executed.
If the pathrun vulnerability above is fixed, these programs run as
user news, if not fixed, they run as user root.
Solution: Install inndstart in a directory with 0700 permissions
owned by user news.
-------------------------------------------------------------------
Forrest J. Cavalier III, Mib Software, INN customization and consulting
'Pay-as-you-go' commercial support for INN: Only $64/hour!
Searchable hypertext INN docs, FAQ, RFCs, etc: 650+ pages.
http://www.mibsoftware.com/innsup.htm