Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00


                                            `Date: Tue, 11 May 1999 11:24:06 -0400  
From: Forrest J. Cavalier III <>  
Subject: INN 2.0 and higher. Root compromise potential  
Copyright 1999 Forrest J. Cavalier III, Mib Software  
This information is provided by Mib Software,  
This notice can be distributed without limitation.  
INN is open source NNTP (Usenet) server software from the Internet  
Software Consortium.  
In some cases, there is potential for the local news user,  
or any local user, to execute arbitrary code as root.  
The two vulnerabilities reported below have already been  
discussed in the Usenet newsgroup  
Therefore, the vendor is being sent this notice now, and  
was not notified previously.  
INN is communications software. Mib Software knows of  
no buffer overrun exploits of the affected versions of  
INN, but the possibility cannot be ruled out. This would  
be the only way a root compromise using a remote connection  
would be possible.  
Since NNTP defines a privileged port (119), a SUID root  
wrapper, inndstart, binds to the port, and then is  
intended to drop root privileges, setting the UID to user  
news before exec() innd. In some cases, this behavior  
can be altered to gain privileges.  
Vulnerability 1 (pathrun should not be trusted information)  
Summary: It is possible for the news user to control the behavior  
of the inndstart program so that root privileges are not  
dropped, and execute arbitrary programs as root.  
Versions affected: INN 2.0 and higher.  
Versions not affected: INN 1.7.2 and lower.  
Details: inndstart determines the target UID and GID from  
the UID and GID of a directory which is normally owned  
by user news, group news. The directory which is checked  
can be changed be editing the "pathrun" parameter  
in the inn.conf configuration file.  
By specifying a directory with appropriate ownership, inndstart  
can exec() running as any user, including root.  
During the course of normal operation, innd forks() and executes  
many child processes, and it is relatively simple to run arbitrary code  
from innd.  
Solution: modify the source file innd/inndstart.c to use a  
hard coded pathrun, instead of the structure member  
Workaround: There is no workaround. The source must be modified.  
Vulnerability 2 (inndstart should be protected,  
INNCONF environment variable should not be trusted.)  
Versions affected: INN 2.x after July 9, 1998 (including INN 2.1  
and higher.)  
Versions not affected: INN 1.7.2 and lower.  
Details: Normally, the SUID root program inndstart, should be  
in a directory accessible only by user news. In some  
installations, this program is accessible to all local users.  
On July 9, 1998 a source code change was introduced which  
obtains the path of the configuration file from the environment  
variable INNCONF. In those installations with inndstart  
accessible to local users, a local user can set INNCONF in the  
environment and determine the behavior of inndstart  
so that abitrary programs are executed.  
If the pathrun vulnerability above is fixed, these programs run as  
user news, if not fixed, they run as user root.  
Solution: Install inndstart in a directory with 0700 permissions  
owned by user news.  
Forrest J. Cavalier III, Mib Software, INN customization and consulting  
'Pay-as-you-go' commercial support for INN: Only $64/hour!  
Searchable hypertext INN docs, FAQ, RFCs, etc: 650+ pages.