COMMAND

    INN

SYSTEMS AFFECTED

    INN 2.0 and higher

PROBLEM

    This information is provided by Mib Software.  INN is open  source
    NNTP  (Usenet)   server  software   from  the   Internet  Software
    Consortium.  In some cases, there is potential for the local  news
    user, or any local user, to  execute arbitrary code as root.   The
    two vulnerabilities reported below have already been discussed  in
    the Usenet  newsgroup news.software.nntp.   INN is  communications
    software. Mib Software knows of no buffer overrun exploits of  the
    affected versions of INN, but the possibility cannot be ruled out.
    This  would  be  the  only  way  a  root compromise using a remote
    connection would be possible.

    Since NNTP defines a privileged  port (119), a SUID root  wrapper,
    inndstart, binds to  the port, and  then is intended  to drop root
    privileges, setting the UID to  user news before exec() innd.   In
    some cases, this behavior can be altered to gain privileges.

    pathrun should not be trusted information
    =========================================
      It is possible for the news user to control the behavior of  the
      inndstart program so that  root privileges are not  dropped, and
      execute arbitrary  programs as  root.   inndstart determines the
      target UID and GID from the UID and GID of a directory which  is
      normally owned by user news, group news.  The directory which is
      checked can be changed be editing the "pathrun" parameter in the
      inn.conf configuration  file.   By specifying  a directory  with
      appropriate ownership, inndstart can exec() running as any user,
      including root.   During the  course of  normal operation,  innd
      forks() and executes many child processes, and it is  relatively
      simple to run arbitrary code from innd.

    inndstart should be protected, INNCONF environment variable should not be trusted
    =================================================================================
      Versions affected here are INN 2.x after July 9, 1998 (including
      INN 2.1 and higher).  Normally, the SUID root program inndstart,
      should be in a directory accessible only by user news.  In  some
      installations, this  program is  accessible to  all local users.
      On  July  9,  1998  a  source  code  change was introduced which
      obtains the path of the configuration file from the  environment
      variable  INNCONF.   In   those  installations  with   inndstart
      accessible to local users, a  local user can set INNCONF  in the
      environment  and  determine  the  behavior  of inndstart so that
      abitrary programs  are executed.   If the  pathrun vulnerability
      above is fixed, these programs  run as user news, if  not fixed,
      they run as user root.

SOLUTION

    Versions not affected are INN 1.7.2 and lower.  As for first  bug,
    solution is to  modify the source  file innd/inndstart.c to  use a
    hard   coded   pathrun,   instead   of   the   structure    member
    innconf->pathrun.   As  for  second  one,  install  inndstart in a
    directory with 0700 permissions owned by user news.