Bugtraq mailing list archives
Format string bug in startinnfeed
From: Paul Starzetz <paul () STARZETZ DE>
Date: Mon, 12 Feb 2001 15:46:31 +0100
1. Description -------------- The 'startinnfeed' binary contains various format string bugs. Most of the command line options passes user given arguments to 'syslog()' as format string. For example: paul@ps:/usr/home/paul > /usr/lib/news/bin/startinnfeed -a "%x%x%n%n%n%n%n%n%n" segmentation fault paul@ps:/usr/home/paul > /usr/lib/news/bin/startinnfeed -b "%x%x%n%n%n%n%n%n%n" Mon Feb 12 15:37:01 2001 innfeed: Not a directory: %x%x%n%n%n%n%n%n%n segmentation fault paul@ps:/usr/home/paul > /usr/lib/news/bin/startinnfeed -c "%x%x%n%n%n%n%n%n%n" segmentation fault paul@ps:/usr/home/paul > The vulnerable package is Name : inn Version : 2.2.2 Release : 132 Group : Networking/Daemons Size : 5764682 Summary : Inter Net News Description : Build Date : Mit 20 Sep 2000 20:02:52 CEST Source RPM : inn-2.2.2-132.src.rpm Rich Salz's InterNetNews news transport system. 2. Impact --------- It may be possible to obtain elevated priviledges on vulnerable machines usually uid=0. As far as I saw it on SuSE, startinnfeed is not marked executable for any user, only for the members of the news group (and root of course). So assuming that some user is able to elevate his priviledges and gain gid=news, it may be possible to obtain uid=0 as well. 3. Solution ------------ Quick fix: chmod u-s /usr/lib/news/bin/startinnfeed
Current thread:
- Format string bug in startinnfeed Paul Starzetz (Feb 12)
- Re: Format string bug in startinnfeed Russ Allbery (Feb 12)