ÆüËܸìÈÇ

CERT(sm) Advisory CA-97.08
Original issue date: February 20, 1997
Last revised: --
              
Topic: Vulnerability in innd
- - -----------------------------------------------------------------------------

The CERT Coordination Center has received reports that a vulnerability exists
in all versions of INN (InterNetNews server) up to and including version 1.5.
This vulnerability allows unauthorized users to execute arbitrary commands on
the machine running INN by sending a maliciously formed news control message.
Because the problem is with the content of news control messages, attacks can
be launched remotely and may reach news servers located behind Internet
firewalls.

The CERT/CC recommends that sites upgrade to INN 1.5.1. Until you can do so,
we urge you to apply the patch described in Sec. III.B. Information about
this vulnerability has been widely distributed.

We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.

- - -----------------------------------------------------------------------------

I.   Description

      The INN daemon (innd) processes "newgroup" and "rmgroup" control messages
      in a shell script (parsecontrol) that uses the shell's "eval" command.
      However, some of the information passed to eval comes from the message
      without adequate checks for characters that are special to the shell.

      This permits anyone who can send messages to an INN server - almost
      anyone with Usenet access - to execute arbitrary commands on that
      server. These commands run with the uid and privileges of the "innd"
      process on that server. Because such messages are usually passed through
      Internet firewalls to a site's news server, servers behind such
      firewalls are vulnerable to attack. Also, the program executes these
      commands before checking whether the sender is authorized to create or
      remove newsgroups, so checks at that level (such as running pgpverify)
      do not prevent this problem.

      All versions of INN through 1.5 are vulnerable. You can determine which
      version of INN your site is running by connecting to the NNTP port
      (119) of your news server. For example:

          % telnet news.your.site 119
          Connected to news.your.site
          Escape character is '^]'.
          200 news.your.site InterNetNews server INN 1.4unoff4 05-Mar-96 ready

	Type "quit" to exit the connection. Note that this does not indicate
	whether or not the patch recommended below has been installed.


II.  Impact

     Remote, unauthorized users can execute arbitrary commands on the
     system with the same privileges as the innd (INN daemon) process.
     

III. Solution
     
     Upgrade to INN 1.5.1. Until you can do so, install the patches available
     from James Brister or get help from your vendor, if it is available.

     A. Upgrade to INN 1.5.1

	The current version of INN is 1.5.1, which does not have this
	vulnerability. Archive sites for INN version 1.5.1 along with
	additional information about INN are given at

		http://www.isc.org/inn.html

	The MD5 checksum for the gzip'ed tar file is

		MD5 (inn-1.5.1.tar.gz) = 555d50c42ba08ece16c6cdfa392e0ca4


     B. Install patches

	Until you are able to upgrade to INN 1.5.1, we recommend installing
        the following patches, which have been made available by James Brister,
        the current maintainer of INN.

        For releases inn1.4unoff3, inn1.4unoff4, and inn1.5 (all versions),
        apply "security-patch.01" at 

           ftp://ftp.isc.org/isc/inn/patches/security-patch.01
	   MD5 (security-patch.01) = 06131a3d1f4cf19d7d1e664c10306fa8

        For release 1.4sec, Brister recommends upgrading to a newer version,
	but he has made the patch "security-patch.02" available at

           ftp://ftp.isc.org/isc/inn/patches/security-patch.02
	   MD5 (security-patch.02) = 3a964ba0b2b2baf678ef554c67bb28f2


     C. Consult your vendor

	Below is a list of vendors who have provided information about this
        problem. Details are in Appendix A of this advisory; we will update
        the appendix as we receive more information. If your vendor's name is 
	not on this list, the CERT/CC did not hear from that vendor. Please
	contact your vendor directly. 

	   Berkeley Software Design, Inc. (BSDI)
	   Caldera
	   Cray Research - A Silicon Graphics Company
	   Debian Linux
	   Red Hat
	   
...........................................................................

Appendix A - Vendor Information

Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional information.
If you do not see your vendor's name, the CERT/CC did not hear from that
vendor. Please contact the vendor directly.


Berkeley Software Design, Inc. (BSDI) 
==================================== 
	We ship INN as part of our distribution.  BSD/OS 2.1 includes INN
	1.4sec and 2.1 users should apply the patch referenced in the
	advisory.  BSD/OS 3.0 includes INN 1.4unoff4 and the patch for that
	version is already included so BSD/OS 3.0 is not vulnerable as
	distributed.


Caldera
=======
	An upgrade package for Caldera OpenLinux Base 1.0 will appear at
	Caldera's site:

ftp://ftp.caldera.com/pub/col-1.0/updates/Helsinki/004/inn-1.5.1-2.i386.rpm

	MD5 sum is:

	3bcd3120b93f41577d3246f3e9276098  inn-1.5.1-2.i386.rpm


Cray Research - A Silicon Graphics Company
==========================================
	Cray Research has never shipped any news server with Unicos.


Debian Linux
============
	The current version of INN shipped with Debian is 1.4unoff4. However
	the "unstable" (or development) tree contains inn-1.5.1. It can be
	gotten from any debian mirror in the subdirectory

	debian/unstable/binary/news

d3603d9617fbf894a3743a330544b62e 591154 news optional inn_1.5.1-1_i386.deb
205850779d2820f03f2438d063e1dc51 45230 news optional inn-dev_1.5.1-1_i386.deb
badbe8431479427a4a4de8ebd6e1e150 31682 news optional inewsinn_1.5.1-1_i386.deb


Red Hat
=======
	All users of Red Hat 4.0 and Red Hat 4.1 are urged to upgrade to the
	inn-1.5.1-3 package available from ftp.redhat.com. The same package
	will work on both 4.0 and 4.1 systems, and is available from
	ftp.redhat.com in /updates/4.0 and /updates/4.1. Users with direct
	Internet connections can upgrade with one of the following commands:

	i386:
	rpm -Uvh ftp://ftp.redhat.com/updates/4.1/i386/inn-1.5.1-3.i386.rpm

	alpha (note the --ignorearch is only needed for Red Hat 4.0/AXP users):
	rpm -Uvh --ignorearch \
		ftp://ftp.redhat.com/4.1/updates/i386/inn-1.5.1-3.alpha.rpm

	SPARC:
	rpm -Uvh ftp://ftp.redhat.com/updates/4.1/sparc/inn-1.5.1-3.alpha.rpm

	All of these packages have been signed with Red Hat's PGP key, which is
	availble on all Red Hat CDROMs, ftp.redhat.com, and public keyservers.

- - -----------------------------------------------------------------------------
The CERT Coordination Center thanks James Brister of the Internet Software
Consortium for making these fixes available and Matt Power of MIT for
analyzing and reporting this problem. We also thank AUSCERT for their
contributions to this advisory. 
- - -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response 
and Security Teams (see ftp://info.cert.org/pub/FIRST/first-contacts). 


CERT/CC Contact Information 
- - ---------------------------- 
Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
                and are on call for emergencies during other hours.

Fax      +1 412-268-6989

Postal address
         CERT Coordination Center
         Software Engineering Institute
         Carnegie Mellon University
         Pittsburgh PA 15213-3890
         USA

Using encryption
   We strongly urge you to encrypt sensitive information sent by email. We can
   support a shared DES key or PGP. Contact the CERT/CC for more information. 
   Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

Getting security information
   CERT publications and other security information are available from
        http://www.cert.org/
        ftp://info.cert.org/pub/

   CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce 

   To be added to our mailing list for advisories and bulletins, send 
   email to
        cert-advisory-request@cert.org 
   In the subject line, type 
	SUBSCRIBE  your-email-address 

- - ---------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is
included.

CERT is a service mark of Carnegie Mellon University.
- - ---------------------------------------------------------------------------

This file: ftp://info.cert.org/pub/cert_advisories/CA-97.08.innd
           http://www.cert.org
               click on "CERT Advisories"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history

- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMwykB3VP+x0t4w7BAQFLuAQApZshgfEySaH3v2t6j6lp81Sk3dPhUqg+
KFmiHK48pmpdjSdXm/IA1zYTMGUPF0NOB7hxm9QImrAuMYqjtfXwJyNtkSSgllnP
ruoJvxtNbKKsePZ5xUuToPSr23Es4GkfX56+I+WurOsuRL218ebUxGkMiQBge0Fs
INnynbgADKM=
=x4gR
- -----END PGP SIGNATURE-----