Title: ISC INN inndstart INNCONF Vulnerability
Severity: HIGH
Description:
A vulnerability in the inndstart program may allow any user to execute programs as root.
The inndstart program is a suid wrapper that binds to a privileged port, changes its uid and gid to that of the news user, and executed the innd deamon. The inndstart program determines which uid and gid to change by examining the ownership of a directory normally owned by the news user. This directory can be configured by changing the "pathrun" parameter in the inn.conf configuration file. The configuration files also determines what program to execute (normally innd). The inndstart program should normally be installed in a directory accessible only by the news user. In some installation the program is accessible by all users.
On July 9, 1998 a source change was made to inndstart such as the if the environment variable INNCONF was defined it would be used to determine the location of the "inn.conf" configuration file. This enables a local user with access to the inndstart program to create its own innd.conf file with a "pathrun" component pointing to a directory owned by root and defining a program of his choosing to be executed as root.
If inndstart has been patched to ignore the "pathrun" parameter in the configuration file it will still grant access to the malicious user to the "news" account.
Affected Products:
- ISC INN 2.1.0
- ISC INN 2.2.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
