Vulnerability Note VU#943536

ISC InterNetNews (INN) innfeed contains buffer overflow

Original Release date: 05 Sep 2001 | Last revised: 05 Sep 2001

Overview

A locally exploitable buffer overflow exists in ISC InterNetNews.

Description

InterNetNews is a Usenet/Netnews news server supported by the Internet Software Consortium and volunteers. Innfeed is a component of InterNetNews that implements the NNTP protocol for transerring news between hosts. A locally exploitable buffer overflow exists in Innfeed that could allow a local intruder to overflow a buffer by passing it extremely long command-line arguments. This vulnerability affects versions of INN prior to INN 2.3.0.

Impact

An intruder can execute arbitrary code on the target system as the user running InterNetNews, typically news.

Solution

Upgrade INN to 2.3.0, which includes a rewritten startinnfeed utility.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
ISCAffected18 Apr 200104 Sep 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was discovered by Enrique A. Sanchez Montellano and Alex Hernandez .

This document was written by Ian A. Finlay and is based on information obtained from a Defcom Labs Advisory .

Other Information

  • CVE IDs: Unknown
  • Date Public: 18 Apr 2001
  • Date First Published: 05 Sep 2001
  • Date Last Updated: 05 Sep 2001
  • Severity Metric: 7.03
  • Document Revision: 41

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.