COMMAND
InterNet News Server
SYSTEMS AFFECTED
Systems running INN prior to version 1.6.
PROBLEM
Secure Networks Inc. in their security advisory pointed out about
new INN news server vulnerabilities. That advisory addresses a
number of vulnerabilities present in all versions of INN prior to
version 1.6.
A number of vulnerabilities exist in all versions of INN prior to
version 1.6 which allow remote individuals to obtain access to
vulnerable systems. Post access is required to exploit these
vulnerabilities. However, due to the method with which news is
propagated, once a single server has been broken into, all of its
peers can be accessed.
A number of string copies within the INN news server fail to check
the size of data they are copying. This results in buffer
overflows in several locations, allowing individuals to execute
commands remotely, including spawning a shell on the NNTP port.
An example of this situation is in the processing of the "From: "
line by the nnrpd process. In the ARTpost function in post.c, the
From: line is copied into a buffer on the stack without performing
bounds checking:
STRING
ARTpost(article, idbuff)
...
char buff[NNTP_STRLEN + 2], frombuf[SMBUF];
...
strcpy(frombuf, HDR(_from));
...
By crafting appropriate arguments in the From: header of the
message, an attacker can cause nnrpd to overwrite its stack,
overwrite the function return pointer on the stack, and thus
execute arbitrary binary code.
SOLUTION
As of last friday, 25 Jul 97, the ISC has announced that they
will be making a set of patches for 1.5.1 available.
It would appear that Miquel van Smoorenburg at Cistron has made
available a patch for this bug, it's available from:
http://miquels.www.cistron.nl/inn/
Inn is available (new one) at:
ftp://ftp.isc.org/isc/inn/inn-1.5.1sec.tar.gz
and diff from 1.5.1 to 1.5.1sec is available as:
ftp://ftp.isc.org/isc/inn/inn-1.5.1-to-inn-1.5.1sec.diff.gz