Everhart, Glenn (FUSA) From: Forrest J. Cavalier III [mibsoft@MIBSOFTWARE.COM] Sent: Tuesday, May 11, 1999 11:24 AM To: BUGTRAQ@NETSPACE.ORG Subject: INN 2.0 and higher. Root compromise potential Copyright 1999 Forrest J. Cavalier III, Mib Software This information is provided by Mib Software, www.mibsoftware.com. This notice can be distributed without limitation. Summary: -------- INN is open source NNTP (Usenet) server software from the Internet Software Consortium. http://www.isc.org/ In some cases, there is potential for the local news user, or any local user, to execute arbitrary code as root. The two vulnerabilities reported below have already been discussed in the Usenet newsgroup news.software.nntp. Therefore, the vendor is being sent this notice now, and was not notified previously. INN is communications software. Mib Software knows of no buffer overrun exploits of the affected versions of INN, but the possibility cannot be ruled out. This would be the only way a root compromise using a remote connection would be possible. Background: ----------- Since NNTP defines a privileged port (119), a SUID root wrapper, inndstart, binds to the port, and then is intended to drop root privileges, setting the UID to user news before exec() innd. In some cases, this behavior can be altered to gain privileges. ------------------------------------------------------------ Vulnerability 1 (pathrun should not be trusted information) ------------------------------------------------------------ Summary: It is possible for the news user to control the behavior of the inndstart program so that root privileges are not dropped, and execute arbitrary programs as root. Versions affected: INN 2.0 and higher. Versions not affected: INN 1.7.2 and lower. Details: inndstart determines the target UID and GID from the UID and GID of a directory which is normally owned by user news, group news. The directory which is checked can be changed be editing the "pathrun" parameter in the inn.conf configuration file. By specifying a directory with appropriate ownership, inndstart can exec() running as any user, including root. During the course of normal operation, innd forks() and executes many child processes, and it is relatively simple to run arbitrary code from innd. Solution: modify the source file innd/inndstart.c to use a hard coded pathrun, instead of the structure member innconf->pathrun. Workaround: There is no workaround. The source must be modified. ------------------------------------------------------------------ Vulnerability 2 (inndstart should be protected, INNCONF environment variable should not be trusted.) ------------------------------------------------------------------ Versions affected: INN 2.x after July 9, 1998 (including INN 2.1 and higher.) Versions not affected: INN 1.7.2 and lower. Details: Normally, the SUID root program inndstart, should be in a directory accessible only by user news. In some installations, this program is accessible to all local users. On July 9, 1998 a source code change was introduced which obtains the path of the configuration file from the environment variable INNCONF. In those installations with inndstart accessible to local users, a local user can set INNCONF in the environment and determine the behavior of inndstart so that abitrary programs are executed. If the pathrun vulnerability above is fixed, these programs run as user news, if not fixed, they run as user root. Solution: Install inndstart in a directory with 0700 permissions owned by user news. ------------------------------------------------------------------- Forrest J. Cavalier III, Mib Software, INN customization and consulting 'Pay-as-you-go' commercial support for INN: Only $64/hour! Searchable hypertext INN docs, FAQ, RFCs, etc: 650+ pages. http://www.mibsoftware.com/innsup.htm