Date: Tue, 10 Dec 1996 14:02:26 +1000 From: auscert@auscert.org.au To: first-teams@first.org Cc: auscert@auscert.org.au Subject: (PUBLIC RELEASE) AUSCERT Advisory AA-96.19 INN parsecontrol Vulnerability Message-ID: <199612100402.OAA13975@amethyst.auscert.org.au> Resent-Message-ID: <199612100705.XAA00476@precipice.shockwave.com>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-96.19 AUSCERT Advisory
INN parsecontrol Vulnerability
10 December 1996
Last Revised: --
- ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in all
versions of INN (InterNetNews) up to and including 1.5. This
vulnerability allows intruders to execute arbitrary commands on the news
server by sending a carefully crafted news control message. These commands
will be executed using the privileges of the user configured to run the INN
software (usually "news").
Information concerning this vulnerability has been widely released.
- ---------------------------------------------------------------------------
1. Description
All versions of INN (up to and including 1.5) contain a security
vulnerability. This vulnerability allows remote users to execute
arbitrary commands on the news server by sending it a carefully crafted
news control message. These commands will be executed using the
privileges of the user configured to run the INN software (usually
"news"). This may be further leveraged to gain root access, depending
on the configuration of the operating system and the INN software.
As this is a vulnerability based upon the content of the news message,
it is possible to attack news servers that are located behind firewalls
and other boundary protection systems if the control message is passed
through to the server.
The version of INN running on the system can be determined by
connecting to the nntp port (119) of the news server:
% telnet localhost 119
200 a.b.c InterNetNews server INN 1.5 28-Nov-1996 ready
Type "quit" to exit.
2. Impact
Remote users may be able to execute arbitrary commands on the news
server with the privileges of the user configured to run the INN
software (usually "news").
This may be further leveraged to gain root access depending on the
configuration of the operating system and the INN software.
3. Workarounds/Solution
AUSCERT recommends that news servers running the vulnerable versions
of INN should limit the possible exploitation of this vulnerability
by immediately applying the vendor patches listed in Section 3.1.
3.1 Apply Vendor Patches
James Brister, the current maintainer of INN, has made available
security patches for common versions of INN that address the
vulnerability described in this advisory.
For INN versions 1.4unoff3, 1.4unoff4 and 1.5:
ftp://ftp.vix.com/pub/inn/patches/security-patch.01
For INN version 1.4sec:
ftp://ftp.vix.com/pub/inn/patches/security-patch.02
The MD5 checksums for these patches are:
MD5 (security-patch.01) = 06131a3d1f4cf19d7d1e664c10306fa8
MD5 (security-patch.02) = 3a964ba0b2b2baf678ef554c67bb28f2
AUSCERT recommends sites running previous versions of INN upgrade to
the latest version of INN (version 1.5) and then apply
security-patch.01.
More information regarding the current release of INN can be found at:
http://www.isc.org/isc/inn.html
- ---------------------------------------------------------------------------
AUSCERT thanks James Brister of the Internet Software Consortium for his
rapid response to this vulnerability. AUSCERT also acknowledges Matt
Power from MIT for his initial report of the problem.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBMq1l3Sh9+71yA2DNAQFvjgP9EPxKnVG+hccZWhMDUz6vuCnpK9aOZoHl
n88+KefS/NnDfwoR4OQfkoKeY2PlaXDspCAZpOruTQuC66PoRnKPCzSsBeu7y53n
3cox/NR22T1P7WzOVOtVAcpGgG2xsAO1f0E4cKau3mKReg7DHMXwDCIpjfrtkIfD
sOawerKUyH0=
=Whvi
-----END PGP SIGNATURE-----
-+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+
This message was posted through the FIRST mailing list server. if you
wish to unsubscribe from this mailing list, send the message body of
"unsubscribe first-teams" to first-majordomo@FIRST.ORG
-+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199612100402.OAA13975>