ISC INN inndstart pathrun Vulnerability

It is possibly for the news user to fool the inndstart program such that is does not drop root privileges and then executes an arbitrary program as root.

Inndstart is a suid root wrapper program whose purpose is to bind to a privileged port, change its user id to that of the "news" user, and the execute the "innd" deamon. inndstart determines the uid and gid it should change to by examining the ownership of a directory normally owned by the user "news" and group "news". The directory that is examined can be changed by editing the "pathrun" parameter in the "inn.conf" configuration file.

By specifying a directory with root ownership inndstart can be made to execute innd as root. The are several ways in which you can then make innd execute arbitrary programs as root.


Privacy Statement
Copyright 2010, SecurityFocus