8275816 2002-04-11 20:22 +0200 /35 rader/ Paul Starzetz <paul@starzetz.de>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-12 03:04 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: Roman Drahtmueller <draht@suse.de>
Mottagare: Bugtraq (import) <21821>
Ärende: Inn (Inter Net News) security problems
------------------------------------------------------------
From: Paul Starzetz <paul@starzetz.de>
To: bugtraq@securityfocus.com, Roman Drahtmueller <draht@suse.de>
Message-ID: <3CB5D449.9050504@starzetz.de>
Hi,
I found several problems inside the inn (<=2.2.3) package as shipped
with various Linux distributions. There are several format string
coding bugs as well as unsecure open() calls. In particular the inews
and the rnews binaries are affected. This may lead to serious
security problems if those binaries are installed set-uid and are
executable by any user. In the case of inews, obtaining uid news is
possible (which can be further used to replace/trojan other system
files like the binaries themselves), in the case of rnews, access to
probably sensitive inn configuration files seems possible (like inn
password hashes etc).
The attached archive contains a short proof of concept code for one
of the format string bugs (look in the inews.sh script for more
details) in the inews binary. The code has been succesfully tested
against SuSE 7.0 where inews and rnews are setuid news. Later
distributions seems to use another security conecept - the binaries
are either only setgid news or are not runnable by ordinary
users. The exploitation is technically difficult - it requires a fake
NNTP server setup somewhere (the code comes with the tar
package). Note: this is NOT a remote exploit. Look at the code for
more technical details. The code will create a setuid news shell.
Vendors have been noticed more than 5 weeks ago.
regards,
/ih
(8275816) /Paul Starzetz <paul@starzetz.de>/(Ombruten)
Bilaga (application/octet-stream) i text 8275817
8275817 2002-04-11 20:22 +0200 /27 rader/ Paul Starzetz <paul@starzetz.de>
Bilagans filnamn: "innexpl.tar.gz"
Importerad: 2002-04-12 03:04 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: Roman Drahtmueller <draht@suse.de>
Mottagare: Bugtraq (import) <21822>
Bilaga (text/plain) till text 8275816
Ärende: Bilaga (innexpl.tar.gz) till: Inn (Inter Net News) security problems
------------------------------------------------------------
���në<��íZmWÛH²¯Ö¯è8Ø`lÉ6{àÌp�kÈì �,µm�¹¥Ñ�ÙÉߧº[²,L=ýpÝ ¶Õ/ÕUÕõÖU�Ù7\$l:?üeÍ´Ls§ÛýÁDÛÝQß~Fëlø½ÛíìîîìtL�óÝNç�fþu(Í[�'vÄØ�¡ú_Ç£øï@èïmïÔJÖè÷[È�;9¹8càÛ-Ø('ø,nÆ|V
æ%,�¦|Æ'�g÷AÊ&ö-g©çöÌ|�æL8Y ü{L8�úö£
óI
í¿Sk�²=õã§.g¯ãÄõæd±Ë÷å¾È�ãRß}Ü�ç'ý©ð�b±Oð�¬JZx�#¹�yü°{f{%À±7�¶O}Ô<°©íZÝø|�ÌîYf»Ó`~E
&zæ�ÌS�ű]7ºö�=±g8�(É0�}ܶÚWÎË�ö�£bTÔfµó£ÎÎú
�×G?Ô÷hpø;ZÓ�¼ßy0Òõ:Y)ÞÔ�Þ^�ô/�áôÍ/×ç�þÁ»�3 7ªÅ¯ÍºQ©<¨VUkªõ�ãw^R³$0¿í@¢
Ï'47�ZL ¯ ¼ÚæzÐÞ?8<�4Ø3ðÁP�ÎÏ@|1~�º U4ñw=²§�¤±Ç4Î
¡0��L@Ä5Ëz©ø�¡kè pX�¹"I�Òì�ò*��¡á�Y�o��ªñEÎ�V%�9�Ì·§]¼ÉÔÓ¨Ì&Ï1ý�`|:9nÄã�1¯Ù� �ã¶ãpÅOEË3_�ÍM
&ádï
`%F$£ZõR��²uU!pr~e4òÓxR��i¢¶ªÄzº�jÛ4/A=¼�X4¥$òÁ�-H�¸íÎG��óQ`ô�K3
5èqð@¥[×hVäpxK+>6»e¡ÝRGAÛI=(^*U
T�úÿxß?¿èô¸©Q¦úpD°�)Oéã¯âÊ�¸Öö¥X/
4±�þM/E�[-âý=·�Áì]7adÜ¿¦ßR/¹�ß
úËÃ8Ï�ñ$�Ã96þÛ>üÏ´Ì%ÿ{Pü·»½ýHü×no·;:þÛ5w:�ÅÝmk�ÿý�íé�LkhÇ�ã©ñ]L8Â0�1_°}¸��Á�%F�'Ã/�.$�ÒÈáXL¼ÅNä
y¾��ú�b6�¨¥cÄ~©p°Q�ÃÆ
�·Ü9¯°Zí6ðÜzAi¡xØ�vp´µ?M �ð8
ê
ñß�,�ÝS|9Å�*ô¢]%9?�3"Cb¢±²�/�´:áÎDxíÃ;Á4ôñ;á.V¹)gI �lè°�Mömàßr,Ã�ò �EÆ�ìÀçcm�°�|¬-D0;�u¼Æ)6bÏ¥m!�'oÊãç�ßRâä;6�M®9¨wZ Ù��õHãv4N§"¹Ävn°Ø�ðù¶+·Øb¬¦u"`{5�>°`ÄlfÞuÍ��þÆ�ý�Ð¥a@!aNrÄ&Ü��l&
úÆÞ-�Ø2ñ��óâ$$¯.$*ªÜ�bÌ�"ã&øÂ})D�r¦Ð7)��Àqjè�Âó�/K��nÌü�ç� ;À0coèÓb[
�L-·%�tà èXx²
»�#qÓ¸à,ýÀQbçï�Ïî����
ì"`c^·'Ð
EZ
ð$¨�K1c�
¬FÂ4Qò(Õ´DýO½É~ònI$¥�a
�ÏdÀE��´!-à�qä�¸TÎ<È«:(4ä��FC%ïÄ�þèääÇ£^+#©Êr�M¿'!�Ñ=.ø:ÐkÈ+à8( ÕÒ=�î°�|�¾RØjÐ
î�×&ý³�*��©¢Ü_IYmjß³[Âiæ%�µ-�·�tä³^PX©1�ßJ�±óô¼Ïv& ±páþ%ÇE�Dùh~3´ÁñË=d¯�)��É}�H5Eó=ón8Ú¦IxkY�p��Gb y¦
Ú�@%o�c\/â�äûÞ(ÊF¯��[¸ëµ2�?j�"[�f<%AØéHkÅÆAàkAàÁn¾;øp68ý±ßÛé�0'hWÅ#©°¤ê0x`Ú0��ÜÇâ9<nhÈå#x®Äx{|tÖ3¥P? a¤S;¾ap°�LL ?XõO\«��VlÇÐ%_Ëf®i�(µG@¨�b&ö?R>`Ï�ܶLY�ñg�!O¸sC�Uæ�[ò=A<m¥lMi�Û*oT$�+jó[Wùxv"¸iaa+±6=U¬Á�YíÆÈCtZ8WìíéûÃÜN)>B!5t zñîÄo6½Iø4d[¸=µi�M�Äçæ�Ùªucz�Ñe[![Sk�ÇÿL!|öf4»cM%pbÄe¶ÌÈ·½ªN°4£j��.Þ�÷çCt/h&wIu�:�Ç�¼»§�·_5¢)Û�±|=Q¸5³ã-ÒH�1`Ùë×××ýÓ·××l?ÛÚ�¢±-¼ß¥¥~U©�À.�¿E��¥;B4�ðäDZwòd-C¨�m5-8J_©Ó�¢«qz0ü`�lû«ÅY~0.õL$,uáDJ=1ðõK}Ýq©|ÜÇgåî4�Ã5w·#g�\êM
G`J½�¨é"�Íé�q§ÈN±ýQyW®MúU:á¹|Y¾i�¼ÝCé2VÈßBôcCPÒo�-ØJ¥�©�Q¡«^ÀwMÎVÙ�ä]îú
þ¤ö�7Æå�V÷¾@ÁÞR�2ÛÖÛ2åâäs$��ÚD=:üèSÔ`'¹9Ì%üÝ/ïÎ&�ÞL)à.�ß�<t�OØZÑçH¡äº{÷
Ñt3^:oj�À¨í�ǯ»¾õìÕdEïóª,(�;b��m�Ö´9QÜÝÏ�Yõ<�~ÿ{%3»ÚÆï�ÆIÅe¾7~tÊ.7
íqàÛKgç&q��ðyh�Ûù{bà>OÓY»]H¯Rº1â�ShËïzå?ë{zÂXO�Ï'³ ü;~GµÁªúûäýñ1%9t�Âj¿ �D¤a�)LÙV -�´²¯3nCO�M¿®à4B}9Y�´>bè0JU´çp�²òhÁæ·I!ä,°wyj}I�þa¶}YV}äÄ_ì�¹¢�my2²÷¸:>gßë,¯oG¡Mq{"á¨LºpÈ«Ì�W�ÄÜàðÉéÙ¹º7�O�øaê²Ìv·ØËÔKzu�¬îqÿm[íRWuÍ;zG�|!øCîx�ê¤ÆRjFÐ5¦Êx^âF®Ù*Ú�ºü8)Y¨Ä<Æ"��Ã}Á8j
#z�å
lW½Jõò®c]Þ9¦úvúùeUfB1<Ä£¿á.¾Ûøîà»SÍF±°»�îåÝ�3ë}�d¶¦£!nkÖ
ñ�$X»å5�;·»wÛ�½�±èû¥z6 +¬vÛº�;»
ߣ|�X9T½�@³°¢�Ì-s±vèjÈ/ðç�ÆðY�×� �¦ÚÈè�²@��¸Øz4Êþô9W÷H\�²©G(Vç·1ÇÒüÍsýU]z¦RìóA²7o�.�_±õm©Ô8`È«ªc¨u�ä3Ú�@È�5á ¦?È«ÐR
6Õf>C�$5Rà§AÂç�Q�
×K.
³è�
eJÁ¨<öë[ß¿2�!ÍX~a
Ù#ù»V]iê¼E%$(ö#
¬y9JIGUOgs8��Ëê4±(æî�[®ØdB³U²>ÖÉúíM:)t«jU¬�7wÏôÃv�ÊàllØ·tª© ò%wu¯3êm°pO®�¹��ûÔ`7
6ò½°ÁB÷#>ó2+�A2`,�LÈÏ�P! IA\�¢$ o?��¨
¡í.Ð"4ü±Ó¹Ò%=Èl�R2���G+nkUºË¼íÉK<·lH@ð}\(ç§�0:ÿ[aÉìø,?ÅG=�n�°ÐB=æF|÷
½rð�¼ÑhT�{Ic5 h½`õ%s,&EË�´;W½ÂN�CÛ
¡C»
!À/uvK�'2Ud³)LBD9âðR¨ûV¢Mù¸qŶºZà<
¬/�"Uæ%Ib©Y¤EI½ 04*×:#0ÒH%Í8¹&}`ÌÚ õAÈE�Ôéõàðôäø²úME2�_G�²²õs��¹úøÃ(@¡RÉ%ªhHÆ4Øl6Yès�¦ø×£�*ªÁ,£Óx�½_�Þ�§×�÷'oæ:¼�ÏÅBÞ4±_É X
ëÀk �z!¯
®¶L^Ñ4RÍç{ì�¾è�e´&æVH?+3D�bçSª�?¾9¬æѽô"óõ
«Âú9ÓSx>£Õ9µR9Þ_Ë�ºT]8@ª"#«+_dv¹nºÝ/3ªì*¦?¢ʷ1 ó>©÷
2Éä˧�_T9]�¬�tå$�bO¦ú%c«ºKL�`
&�)^_o××ïÔ¼¯P:ï
£Uh [ov\pßsè·�u?BÅÃú¿^��|SË^LÀE¶
�þh^éhaÞe¡ËzØÕV]ú&¥�A¢L1Ò-yÌî¾ó«e�Ïþ`p:`
F=¯/ye¡�M©7�è�UË�>îíÒ=ôø·`G-ìÕ�üàF�çÿúàºÝn§ÛîZÕzƲ0�DrÅ�Í�°$S°ty*�.¼=½¥ÿ¿ÒÍiÝÁ¥
�f:ÄXÊ!ȹÉxðp�!,¿�µÕF�Øïÿrýæý@G¬EV¿%[��«zÁ7
½qVÅW2Y
�̬éP×ÈJ6�«eÔ�«ÿº¾åÁpý¹H,3ë�¸C(¯b;îòã\�Ы3ôÊ�u5òX¢`?UG½ì¼æ2X0Z�ggýC9�ÑðM�æùæuîº�êc§Þª!o*lØÍæfý¡
Óàæ2d¼_d�®Ë�¸ã�x¦¸µÜéáh���©p&ä)@¤@I§�öæýXX�sJòR
VkÝCï�®¹y]b®�ór¦<°Ë0zÕ\®îí~"AÅ`»ºHâ�âùs��BhqÏD�ÆÅ�TEN�T"ü
.LÇ©LY|!åT�%Ê
_6��2>åddt}�"n/3k±Q§�jê�]Mæ#Erw`¹D7`ý£3ä��YmÜzË2º®,`Öc��>ÞÈ�Vû&k�fs§'qþ´ÑÝ´ÚîC�UæÍ»õæ;Æ°@òý+uË
N/õ�ÊT.8E;¬_±çÃd±
DÛùËpeûxv088<ýðDáHë�À�.å�o\-}ËMú�íÌ>«wº�³z¬!«»öÁ
G¿/a'�Ùvs·�§^b�}.yXpúr�úËó�ß-h~%à#å�Ùö QëÈJ
ö-:
éb�FkeD²nvÝ»u_-}i×ìMÐ
À°DdËå·-Ât©k¯BØ@ÌÒ³UzþS1E9D(½EåU�;Ï�S�[?,æ±uç7§²³ù0Ý!¾9©ÑÕ^�#Ùªa4[�V2á�òJëû®U[µU[µU[µU[µU[µU[µU[µU[µU[µU[µU[µU[µU[µU[µUûØþ
ý¡�P��
(8275817) /Paul Starzetz <paul@starzetz.de>/(Ombruten)