[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Vulnerability in innd

Title: Vulnerability in innd
Released by: CERT
Date: 20th February 1997
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



=============================================================================

CERT* Advisory CA-97.08

Original issue date: February 20, 1997

Last Revised: September 26, 1997

              Updated copyright statement



              A complete revision history is at the end of this file.





Topic 2: Second vulnerability related to INN - ucbmail

Topic 1: Vulnerability in innd

- -----------------------------------------------------------------------------



A second vulnerability was found in INN (InterNetNews server) after the

initial publication of this advisory. We are including it in this advisory as

"Topic 2" so that all INN information is in one advisory. Versions 1.5.1 and

earlier are vulnerable to this second problem.



Information about the first vulnerability has been widely distributed, and we

have received numerous reports of exploitation. INN 1.5 and earlier are

vulnerable to this problem.



Both vulnerabilities allow unauthorized users to execute arbitrary commands on

the machine running INN by sending a maliciously formed news control message.

Because the problem is with the content of news control messages, attacks can

be launched remotely and may reach news servers located behind Internet

firewalls.



The CERT/CC staff recommends that sites upgrade to INN 1.5.1 and add the patch

described in Section III.A. Until you can upgrade, you should apply two

patches, as described in Section III.B. You may also want to check with your

vendor. Vendors who have provided input for this advisory are listed in

Sec. III.C and Appendix A.



We will update this advisory as we receive additional information.

Please check advisory files regularly for updates that relate to your site.



- -----------------------------------------------------------------------------



I.  Description



    Topic 2 - ucbmail

    -----------------



     A second vulnerability involving INN has been found. It is similar to

     *but not the same as* the one described in Topic 1 below.



    INN itself attempts to carefully remove certain shell "metacharacters"

    from data in control messages before passing that data to a shell. The

    patch for Topic 1 fixes some of the checks that were found to be

    inadequate. However ucbmail, a program typically configured as the mailer

    INN should use, lacks similar checks. INN passes some data unchecked to

    this mailer, which in turn passes the data to a shell for processing.



    James Brister, the current maintainer of INN, has made a patch available

    that checks more data before it is passed to the mailer program. Although

    only the ucbmail program is known to have this problem, sites are

    encouraged to apply the patch regardless of what mail program their INN is

    configured to use.





    Topic 1 - Information provided with the initial advisory

    ---------------------------------------------------------

    The INN daemon (innd) processes "newgroup" and "rmgroup" control messages

    in a shell script (parsecontrol) that uses the shell's "eval" command.

    However, some of the information passed to eval comes from the message

    without adequate checks for characters that are special to the shell.



    This permits anyone who can send messages to an INN server - almost anyone

    with Usenet access - to execute arbitrary commands on that server. These

    commands run with the uid and privileges of the "innd" process on that

    server. Because such messages are usually passed through Internet

    firewalls to a site's news server, servers behind such firewalls are

    vulnerable to attack. Also, the program executes these commands before

    checking whether the sender is authorized to create or remove newsgroups,

    so checks at that level (such as running pgpverify) do not prevent this

    problem.



    As of the advisory update of March 18, 1997, we have received numerous

    reports that the vulnerability is being exploited.



    Determining if you are vulnerable

    ---------------------------------

    You can determine which version of INN your site is running by connecting

    to the NNTP port (119) of your news server. For example:



          % telnet news.your.site 119

          Connected to news.your.site

          Escape character is '^]'.

          200 news.your.site InterNetNews server INN 1.4unoff4 05-Mar-96 ready



    Type "quit" to exit the connection. Note that this does not indicate

    whether or not the patch recommended below has been installed.





II. Impact



    (applies to both topics 1 & 2)



    Remote, unauthorized users can execute arbitrary commands on the

    system with the same privileges as the innd (INN daemon) process.

    Attacks may reach news servers located behind Internet firewalls.





III. Solution



     Warning: If you applied any of the solutions offered in the version of

              this advisory released on Feb. 20, 1997, you must add an

              additional patch.



     (The following recommendations apply to both topics 1 & 2.)



     We recommend upgrading to version 1.5.1 and applying the patch developed

     by James Brister, the current maintainer of INN (Section III. A). If you

     upgraded previously, you must apply this new patch to protect against the

     second vulnerability. Until you can upgrade, you need to apply two

     patches (Section III. B). You may also want to consult your vendor.

     Vendors who have provided input for this advisory are listed in

     Sec. III.C and Appendix A.



     After installing any of the patches or updates, ensure that you

     restart your INN server.





     A. Upgrade to INN 1.5.1 and apply a patch.



        The current version of INN is 1.5.1. It is not vulnerable to the first

        vulnerability; but it is vulnerable to the second, so a patch is

        necessary.



        When you upgrade to INN 1.5.1, please be sure to read the README file

        carefully.



        INN 1.5.1 and information about it are available from



                http://www.isc.org/inn.html



        The md5 checksum for the gzip'ed tar file is

                MD5 (inn-1.5.1.tar.gz) = 555d50c42ba08ece16c6cdfa392e0ca4



        The patch is available from

                http://ftp.isc.org:/isc/inn/patches/security-patch.05



        Note that the advisory originally pointed to patch 04; there was a

        problem with this patch. You need to install patch 05.



        Checksums for patches are in the directory, along with a README.





     B. If you do not upgrade to 1.5.1, apply a patch for the version you are

        running and then apply the newly released patch that addresses the

        second vulnerability discussed in this advisory. If you are running

        INN 1.4sec2, you should upgrade to 1.5.1 as no patches are available.



   FIRST apply:

   version               patch

   -------               -----

    1.5                   http://ftp.isc.org/isc/inn/patches/security-patch.01

    1.4sec                http://ftp.isc.org/isc/inn/patches/security-patch.02

    1.4unoff3, 1.4unoff4  http://ftp.isc.org/isc/inn/patches/security-patch.03





   THEN apply (1.5.1, 1.5, 1.4sec, 1.4unoff3, 1.4unoff4)

                          http://ftp.isc.org:/isc/inn/patches/security-patch.05



        Note that the advisory originally pointed to patch 04; there was a

        problem with this patch. You need to install patch 05.



    There are md5 checksums for each file in the directory, and a README file

    describes what is what.





     C. Consult your vendor



        Below is a list of vendors who have provided information about INN.

        Details are in Appendix A of this advisory; we will update the

        appendix as we receive more information. If your vendor's name is not

        on this list, the CERT/CC did not hear from that vendor. Please

        contact your vendor directly.



           Berkeley Software Design, Inc. (BSDI)

           Caldera

           Cray Research - A Silicon Graphics Company

           Debian Linux

           NEC Corporation

           Netscape

           Red Hat Linux





...........................................................................



Appendix A - Vendor Information



Below is a list of the vendors who have provided information for this

advisory, along with an indication about whether the information relates to

the first vulnerability or both. We will update this appendix as we receive

additional information.  If you do not see your vendor's name, the CERT/CC did

not hear from that vendor. Please contact the vendor directly.





Berkeley Software Design, Inc. (BSDI)

====================================

For Topic 1

        We ship INN as part of our distribution.  BSD/OS 2.1 includes INN

        1.4sec and 2.1 users should apply the patch referenced in the

        advisory.  BSD/OS 3.0 includes INN 1.4unoff4 and the patch for that

        version is already included so BSD/OS 3.0 is not vulnerable as

        distributed.





Caldera

=======

For Topic 1

        An upgrade package for Caldera OpenLinux Base 1.0 will appear at

        Caldera's site:



http://ftp.caldera.com/pub/col-1.0/updates/Helsinki/004/inn-1.5.1-2.i386.rpm



        MD5 sum is:



        3bcd3120b93f41577d3246f3e9276098  inn-1.5.1-2.i386.rpm





Cray Research - A Silicon Graphics Company

==========================================

For Topics 1 and 2

        Cray Research has never shipped any news server with Unicos.





Debian Linux

============

For Topic 1

        The current version of INN shipped with Debian is 1.4unoff4. However

        the "unstable" (or development) tree contains inn-1.5.1. It can be

        gotten from any debian mirror in the subdirectory



        debian/unstable/binary/news



d3603d9617fbf894a3743a330544b62e 591154 news optional inn_1.5.1-1_i386.deb

205850779d2820f03f2438d063e1dc51 45230 news optional inn-dev_1.5.1-1_i386.deb

badbe8431479427a4a4de8ebd6e1e150 31682 news optional inewsinn_1.5.1-1_i386.deb





NEC Corporation

===============

For Topics 1 and 2

         Products below are shipped with INN mentioned in this advisory,

         so they are vulnerable and patches are in progress.



         Goah/NetworkSV R1.2     vulnerable

         Goah/NetworkSV R2.2     vulnerable

         Goah/NetworkSV R3.1     vulnerable

         Goah/IntraSV R1.1       vulnerable





Netscape

========

For Topic 2

     The Netscape News Server 2.01 and current beta (and future shipping)

     versions of Netscape Collabra Server are NOT vulnerable to this problem

     because the Netscape News Server uses its own mailer instead of

     'ucbmail'. The Netscape News Server mailer is a simple SMTP front-end

     that DOES NOT pass anything to the shell. Hence it is immune to the

     vulnerability outlined in topic 2 of the advisory.



     Netscape News Server 1.1 users should apply the patch recommended by the

     Cert Advisory to solve this problem.



For Topic 1

     The Netscape News Server 2.01 is immune to the attack outlined in the

     advisory.



     The News Server 1.1 is, however, subject to the same vulnerability as INN

     and we have advised customers to install the patch described in the

     advisory.







Red Hat Linux

=============

For Topics 1 and 2

There is a critical security hole in INN which affects all versions of Red Hat

Linux. A new version, inn-1.5.1-6, is now available for Red Hat Linux 4.0 and

4.1 for all platforms. If you are running an earlier version of Red Hat, we

strongly encourage you to upgrade to 4.1 as soon as possible, as many critical

security fixes have been made. The new version of inn is PGP signed with the

Red Hat PGP key, which is available on all Red Hat CDROMs, ftp.redhat.com, and

public keyservers.



You may upgrade to the new version as follows:



Red Hat 4.1

- -----------



i386:

rpm -Uvh http://ftp.redhat.com/updates/4.1/i386/inn-1.5.1-6.i386.rpm



alpha:

rpm -Uvh http://ftp.redhat.com/updates/4.1/alpha/inn-1.5.1-6.alpha.rpm



SPARC:

rpm -Uvh http://ftp.redhat.com/updates/4.1/sparc/inn-1.5.1-6.sparc.rpm



Red Hat 4.0

- -----------



i386:

rpm -Uvh http://ftp.redhat.com/updates/4.0/i386/inn-1.5.1-6.i386.rpm



alpha:

rpm -Uvh http://ftp.redhat.com/updates/4.0/alpha/inn-1.5.1-6.alpha.rpm



SPARC:

rpm -Uvh http://ftp.redhat.com/updates/4.0/sparc/inn-1..5.1-6.sparc.rpm





- -----------------------------------------------------------------------------

The CERT Coordination Center thanks James Brister of the Internet Software

Consortium for making fixes available and Matt Power of MIT for

analyzing and reporting the first problem. We also thank AUSCERT for their

contributions to this advisory. James Crawford Ralston of the University of

Pittsburgh and Frank Miller of Tektronix Corporation assisted with the

March 18, 1997 update.



The second vulnerability addressed in this advisory was discovered by security

experts in the Global Security Analysis Laboratory (GSAL) at IBM's

T.J. Watson Research Center. We thank the IBM Emergency Response Service for

providing information on this topic. (They published information in

ERS-SVA-E01-1997:002.1. Their alert is copyrighted 1997 by International

Business Machines Corporation.)



- -----------------------------------------------------------------------------



If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in the Forum of Incident Response

and Security Teams (see http://www.first.org/team-info).





CERT/CC Contact Information

- ----------------------------

Email    cert@cert.org



Phone    +1 412-268-7090 (24-hour hotline)

                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)

                and are on call for emergencies during other hours.



Fax      +1 412-268-6989



Postal address

         CERT Coordination Center

         Software Engineering Institute

         Carnegie Mellon University

         Pittsburgh PA 15213-3890

         USA



Using encryption

   We strongly urge you to encrypt sensitive information sent by email. We can

   support a shared DES key or PGP. Contact the CERT/CC for more information.

   Location of CERT PGP key

         http://info.cert.org/pub/CERT_PGP.key



Getting security information

   CERT publications and other security information are available from

        http://www.cert.org/

        http://info.cert.org/pub/



   CERT advisories and bulletins are also posted on the USENET newsgroup

        comp.security.announce



   To be added to our mailing list for advisories and bulletins, send

   email to

        cert-advisory-request@cert.org

   In the subject line, type

        SUBSCRIBE  your-email-address



- ------------------------------------------------------------------------------



Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.



CERT is registered in the U.S. Patent and Trademark Office.



- ---------------------------------------------------------------------------



This file: http://info.cert.org/pub/cert_advisories/CA-97.08.innd

           http://www.cert.org

               click on "CERT Advisories"



==============================================================================

UPDATES



August 15, 1997

- --------------

The current version is inn-1.5.1sec2, and is available from:



         http://ftp.isc.org/isc/inn/inn-1.5.1sec2.tar.gz





March 18, 1997

- --------------

If you are upgrading to INN 1.5.1, please be sure to read the README file

carefully. Note that if you are upgrading to 1.5.1 from a previous release,

running a "make update" alone is not sufficient to ensure that all of the

vulnerable scripts are replaced (e.g., parsecontrol). Please especially note

the following from the INN 1.5.1 distribution README file:



        When updating from a previous release, you will usually want

        to do "make update" from the top-level directory; this will

        only install the programs.  To update your scripts and config

        files, cd into the "site" directory and do "make clean" --

        this will remove any files that are unchanged from the

        official release.  Then do "make diff >diff"; this will show

        you what changes you will have to merge in.  Now merge in your

        changes (from where the files are, ie. /usr/lib/news...) into

        the files in $INN/site.  (You may find that due to the bug

        fixes and new features in this release, you may not need to

        change any of the scripts, just the configuration files).

        Finally, doing "make install" will install everything.



After installing any of the patches or updates, ensure that you

restart your INN server.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Revision history



Sep. 26, 1997 Updated copyright statement

Aug. 15, 1997 UPDATES - added information about the

              latest release.



Apr 04, 1997  Appendix A - added information from Netscape about Topic 2

              Solution sections III.A and B - replaced pointer to patch 04

              with patch 05 and noted that you must use patch 05

              Contact information - corrected the URL for FIRST



Apr 03, 1997  Added information on a second vulnerability (labeled Topic 2),

              including a new patch that must be applied to many versions of

              INN. Labeled vendor information as input on Topic 1 or 2.



Mar 25, 1997  Section III.B - added a note that no patches are available for

                              version 1.4sec2.

Mar 24, 1997  Appendix A - added information from Netscape.

Mar 21, 1997  Appendix A - added information from NEC Corporation.

Mar 18, 1997  Updates section - added a caution for sites upgrading to 1.5.1

              Acknowledgments - added J. C. Ralston and F. Miller



Mar 17, 1997  Section III.B - corrected patch information (patch.03 must be

              used for 1.4unoff3, 1.4unoff4 rather than patch.01); added a

              URL for INN information.



              Section III.A and introduction - noted that the vulnerability

              is being actively exploited.





-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBS/Xlr9kb5qlZHQEQLbzgCgjxLOCyiSO3uVZY2Wx9+oF10MpY4AoKHl

3l2fB8b+G5LU9FWMpp/dglny

=6V+3

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.