© Neurowork™ 2010. Todos los derechos reservados.
Syb Security
es una unidad de negocio de Neurowork™ |
Otras unidades de negocio
Acerca de Neurowork™ | Mapa del sitio | Términos de uso | Marcas registradas | Política de privacidad | Comentarios
redlink Buscar
 redlink Seleccione Idioma
print e-mail sitemap
Bookmark and Share

Advisories

SYBSEC-ADV06: Innfeed Local Buffer Overflow Exploit

Title
Innfeed Local Buffer Overflow Exploit
ID
SYBSEC-ADV06
Severity
HIGH - Local Buffer Overflow
History
10.APR.2001 Vulnerability discovered
18.APR.2001 Vendor contacted
Scope
Local Buffer Overflow Vulnerability
Platforms
Linux:

Slackware 7.1 and older versions.
Mandrake 7.0 and older versions.
RedHat 7.2 and older versions.
Author
Alex Hernandez / Enrique A. Sanchez Motellano <ahernandez [at] sybsecurity [at] com>
URL
http://www.sybsecurity.com/advisors/SYBSEC-ADV06-Innfeed_Local_Buffer_Overflow_Exploit
Release
Public
Overview
innfeed is a program that implements the NNTP protocol for transerring news between computers.
Affected versions
The vulnerability has been reported in versions Linux Server
Slackware 7.1 and older versions.
Mandrake 7.0 and older versions.
RedHat 7.2 and older versions.
Description
Due to no bounds checking on the innfeed program a buffer overflow occurs while using the -c flag, thus rendering complete control of the stack. And rendering news uid and gid.
Workaround
Upgrade the sofware version you can download from:
http://www.redhat.com
Acknowledgments
This vulnerability have been found and researched by:
- Alex Hernandez <ahernandez [at] sybsecurity [dot] com>
- Enrique A. Sanchez Montellano <enrique.sanchez [at] defcom [dot] com>
References
Details

Due to no bounds checking on the logOrPrint() function on the vsprint()
a stack overflow occurs thus rendering the stack. The user then is able
to gain news id, in wich he can the trojan binaries to gain further
access to upgrade his priviledges.

Users trusted to group id can gain further access to news uid thus
gaining owner priviledges on the files and being able to trojan them
in some cases. And if root runs those binaries a root compromise might
be posible.

Offending code:
---------------

vsprintf (buffer,fmt,ap) ;

Example of exploitation:
------------------------

nahual@shell:~$ ls -al /usr/lib/news/bin/innfeed
-r-xr-x--- 1 news news 213124 Jun 14 2000
/usr/lib/news/bin/innfeed*
nahual@shell:~$ ls -al /usr/lib/news/bin/startinnfeed
-r-sr-x--- 1 root news 40796 Jun 14 2000
/usr/lib/news/bin/startinnfeed*
nahual@shell:~$ id
uid=1001(nahual) gid=100(users) groups=100(users),13(news)
nahual@shell:~$ ./x-innfeed
[ + ] innfeed buffer overflow (passed to startinnfeed) [ + ]
------------------------------------------------------------
[ + ] Found by:


[ + ] Alex Hernandez (alex.hernandez@defcom.com)
[ + ] Enrique Sanchez (@defcom.com ... Yes is just @defcom.com)
[ + ] Defcom Labs @ Spain ....
[ + ] Coded by Enrique A. Sanchez Montellano (El Nahual)


[ + ] Using address 0xbffff9e4
[ + ] Starting exploitation ...

bash$ id
uid=9(news) gid=13(news) groups=100(users),13(news)
bash$
Exploit tool