AA-96.19.INN.parsecontrol.vul
d4ae7f565b8b6551eb5c62564d7e339d6eb611c67c3c7e278b27df14fd18be0c-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-96.19 AUSCERT Advisory
INN parsecontrol Vulnerability
10 December 1996
Last Revised: 19 March 1997
Updated INN patch information and locations. Added
warning regarding the installation of INN.
- ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in all
versions of INN (InterNetNews) up to and including 1.5. This
vulnerability allows intruders to execute arbitrary commands on the news
server by sending a carefully crafted news control message. These commands
will be executed using the privileges of the user configured to run the INN
software (usually "news").
Information concerning this vulnerability has been widely released.
- ---------------------------------------------------------------------------
1. Description
All versions of INN (up to and including 1.5) contain a security
vulnerability. This vulnerability allows remote users to execute
arbitrary commands on the news server by sending it a carefully crafted
news control message. These commands will be executed using the
privileges of the user configured to run the INN software (usually
"news"). This may be further leveraged to gain root access, depending
on the configuration of the operating system and the INN software.
As this is a vulnerability based upon the content of the news message,
it is possible to attack news servers that are located behind firewalls
and other boundary protection systems if the control message is passed
through to the server.
The version of INN running on the system can be determined by
connecting to the nntp port (119) of the news server:
% telnet localhost 119
200 a.b.c InterNetNews server INN 1.5 28-Nov-1996 ready
Type "quit" to exit.
2. Impact
Remote users may be able to execute arbitrary commands on the news
server with the privileges of the user configured to run the INN
software (usually "news").
This may be further leveraged to gain root access depending on the
configuration of the operating system and the INN software.
3. Workarounds/Solution
AUSCERT recommends that sites using the vulnerable versions of INN
should limit the possible exploitation of this vulnerability by
immediately installing the current version of INN (Section 3.1) or
applying patches (Section 3.2). Sites using vendor versions of INN
should review CA-97.08 (Section 3.3).
3.1 Install Current Version
AUSCERT recommends sites using versions of INN previous to 1.5.1
upgrade to the current version immediately. The vulnerability
described in this advisory was fixed in version 1.5.1 of INN.
More information regarding the current release of INN, and where
it can be retrieved, can be found at:
http://www.isc.org/isc/inn.html
Sites are encouraged to make sure they have installed INN according
to the recommended instructions. CERT/CC warns:
"If you are upgrading to INN 1.5.1, please be sure to read the README
file carefully. Note that if you are upgrading to 1.5.1 from a previous
release, running a "make update" alone is not sufficient to ensure
that all of the vulnerable scripts are replaced (e.g., parsecontrol).
Please especially note the following from the INN 1.5.1 distribution
README file:
When updating from a previous release, you will usually want
to do "make update" from the top-level directory; this will
only install the programs. To update your scripts and config
files, cd into the "site" directory and do "make clean" --
this will remove any files that are unchanged from the
official release. Then do "make diff >diff"; this will show
you what changes you will have to merge in. Now merge in your
changes (from where the files are, ie. /usr/lib/news...) into
the files in $INN/site. (You may find that due to the bug
fixes and new features in this release, you may not need to
change any of the scripts, just the configuration files).
Finally, doing "make install" will install everything.
After installing any of the patches or updates, ensure that you
restart your INN server."
3.2 Apply Patches
James Brister, the current maintainer of INN, has made available
security patches for common versions of INN that address the
vulnerability described in this advisory.
For INN 1.5:
ftp://ftp.isc.org/isc/inn/patches/security-patch.01
For INN 1.4sec:
ftp://ftp.isc.org/isc/inn/patches/security-patch.02
For INN 1.4unoff3, 1.4unoff4:
ftp://ftp.isc.org/isc/inn/patches/security-patch.03
A README file and associated MD5 checksums for the above patches can
be found at:
ftp://ftp.isc.org/isc/inn/patches/
3.3 Vendor information
CERT/CC released an advisory (CA-97.08) containing specific vendor
information that was not available when AUSCERT Advisory AA-96.19 was
first released. Sites should review this advisory for specific vendor
information. This advisory can be retrieved from:
ftp://ftp.auscert.org.au/pub/cert/cert_advisories/CA-97.08.innd
ftp://ftp.cert.org/pub/cert_advisories/CA-97.08.innd
- ---------------------------------------------------------------------------
AUSCERT thanks James Brister of the Internet Software Consortium for his
rapid response to this vulnerability. AUSCERT also acknowledges Matt
Power from MIT for his initial report of the problem and CERT/CC for their
assistance.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
6 Jan 1997 Updated Section 3 to include information on the new
version of INN (currently 1.5.1) which fixes the
vulnerability described in this advisory.
13 Mar 1997 Updated Section 3 to include CERT/CC CA-97.08.innd with
vendors information.
19 Mar 1997 Updated Section 3 to include current patch information
and warning regarding installation of new versions of INN.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBMy/IsCh9+71yA2DNAQFFHgP/SU3KFCBaOZx9G7O+UwRCZuBQUqCGsQem
5KkS7kAffzfHtxPZa5Wjmp/K/A4Kyq8mrt0NDKaw4oNbUFmCCf4DBnHdw7F2LSBX
17Kpd0pDedpF7gKzE1zsMo8tdFQ4JvItcz6ue8rCHSUf9HYF0+a7to09Ihx9vmbT
Qb+EHKqsFZ8=
=02EO
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed