Title: innfeed Command-Line Buffer Overflow Vulnerability
Severity: MODERATE
Description:
InterNetNews (INN) is a complete USENET server package maintained by the Internet Software Consortium (ISC). innfeed, an INN utility program, is vulnerable to a buffer overflow.
The overflow exists in innfeed's command-line parser. Due to an unchecked vsprintf function call in the innfeed code, the entire contents of the -c option are copied to a fixed buffer on the stack.
A local attacker in the news group [2] could use this overflow to execute arbitary code with an effective userid of news. This could constitute an elevation in privileges, and far more seriously, the ability to alter news-owned binaries that could be run by root.
innfeed itself is not setuid news. innfeed is normally started with the program 'startinnfeed' [1], which is setuid root. startinnfeed drops privileges to euid=news before exec'ing innfeed.
[1] startinnfeed prepares an environment for innfeed with increased resource limits.
[2] ISC recommends that only users entrusted to the news user be a part of the news group.
Affected Products:
- ISC INN 2.0.0
- ISC INN 2.1.0
- ISC INN 2.2.0
- ISC INN 2.2.1
- ISC INN 2.2.2
- ISC INN 2.2.3
References:
- ISC: INN Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
