COMMAND
C News & INN
SYSTEMS AFFECTED
Systems using C News performance release, or old versions of IN.N
PROBLEM
Escape characters in control messages can be used to run commands.
The problem was originally discovered for INN. INN insists on
using /usr/ucb/mail (BSDish systems) or /usr/bin/mailx (System
V). Apart from the name, Mailx is identical to ucbmail.
Examination of the cnews control message processing reveals that
the scripts used to execure the control messages pass chunks of
the contents of those messages to mail. If you cnews is installed
in the default manner on a BSD type system, /bin and /usr/bin
come before /usr/ucb in the path for the news executables and
/bin/mail is executed -- however, if /usr/ucb comes first in the
path because of a nonstandard installation /usr/ucb/mail gets run
and tilde escapes, including ~! il gets run and tilde escapes,
including -- the bad implications of this should be obvius.
SOLUTION
For INN please install the INN security patch (it consists of
adding sed -e 's/^~/~~/' to the mail command in the 7 affected
scripts). Dissabling control altogether isn't necessary. Only
control message that generate mail to the news user are harmful.
For C News if /bin and /usr/bin are in the path of your news
scruots first, you have nothing immediately to worry about. You
might apply the following fixes anyway. Most safely, replace
references to "mail" with "/bin/mail". Slightly less safely,
assure that "/bin" and "/usr/bin" are in the path first. It is
entirely possible that there is some way to force there to the
end of the path using another trick. No matter what, assure that
your scripts run as user "news" or otherwise as a non-root user.
This will make sure that the impact of any other holes is
minimized. The scripts should already be running this way in an
ordinary installation, but yours might not be ordinary.