Title: ISC INN inndstart pathrun Vulnerability
Severity: HIGH
Description:
It is possibly for the news user to fool the inndstart program such that is does not drop root privileges and then executes an arbitrary program as root.
Inndstart is a suid root wrapper program whose purpose is to bind to a privileged port, change its user id to that of the "news" user, and the execute the "innd" deamon. inndstart determines the uid and gid it should change to by examining the ownership of a directory normally owned by the user "news" and group "news". The directory that is examined can be changed by editing the "pathrun" parameter in the "inn.conf" configuration file.
By specifying a directory with root ownership inndstart can be made to execute innd as root. The are several ways in which you can then make innd execute arbitrary programs as root.
Affected Products:
- ISC INN 2.0.0
- ISC INN 2.1.0
- ISC INN 2.2.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
