copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

AA-96.19 -- INN parsecontrol Vulnerability

Date: 19 March 1997

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
AA-96.19                        AUSCERT Advisory
			INN parsecontrol Vulnerability
                                10 December 1996

Last Revised: 	19 March 1997

		Updated INN patch information and locations.  Added
		warning regarding the installation of INN.

- ---------------------------------------------------------------------------
	   
AUSCERT has received information that a vulnerability exists in all
versions of INN (InterNetNews) up to and including 1.5.  This
vulnerability allows intruders to execute arbitrary commands on the news
server by sending a carefully crafted news control message.  These commands
will be executed using the privileges of the user configured to run the INN
software (usually "news").

Information concerning this vulnerability has been widely released.

- ---------------------------------------------------------------------------

1.  Description

    All versions of INN (up to and including 1.5) contain a security
    vulnerability.  This vulnerability allows remote users to execute
    arbitrary commands on the news server by sending it a carefully crafted
    news control message.  These commands will be executed using the
    privileges of the user configured to run the INN software (usually
    "news").  This may be further leveraged to gain root access, depending
    on the configuration of the operating system and the INN software.

    As this is a vulnerability based upon the content of the news message,
    it is possible to attack news servers that are located behind firewalls
    and other boundary protection systems if the control message is passed
    through to the server.

    The version of INN running on the system can be determined by
    connecting to the nntp port (119) of the news server:

        % telnet localhost 119
	200 a.b.c InterNetNews server INN 1.5 28-Nov-1996 ready

    Type "quit" to exit.

2.  Impact

    Remote users may be able to execute arbitrary commands on the news
    server with the privileges of the user configured to run the INN
    software (usually "news").

    This may be further leveraged to gain root access depending on the
    configuration of the operating system and the INN software.

3.  Workarounds/Solution

    AUSCERT recommends that sites using the vulnerable versions of INN
    should limit the possible exploitation of this vulnerability by
    immediately installing the current version of INN (Section 3.1) or
    applying patches (Section 3.2). Sites using vendor versions of INN
    should review CA-97.08 (Section 3.3).

3.1 Install Current Version

    AUSCERT recommends sites using versions of INN previous to 1.5.1
    upgrade to the current version immediately.  The vulnerability
    described in this advisory was fixed in version 1.5.1 of INN.

    More information regarding the current release of INN, and where
    it can be retrieved, can be found at:

	http://www.isc.org/isc/inn.html

    Sites are encouraged to make sure they have installed INN according
    to the recommended instructions.  CERT/CC warns:

    "If you are upgrading to INN 1.5.1, please be sure to read the README
    file carefully. Note that if you are upgrading to 1.5.1 from a previous
    release, running a "make update" alone is not sufficient to ensure
    that all of the vulnerable scripts are replaced (e.g., parsecontrol).
    Please especially note the following from the INN 1.5.1 distribution
    README file:

        When updating from a previous release, you will usually want
        to do "make update" from the top-level directory; this will
        only install the programs.  To update your scripts and config
        files, cd into the "site" directory and do "make clean" --
        this will remove any files that are unchanged from the
        official release.  Then do "make diff >diff"; this will show
        you what changes you will have to merge in.  Now merge in your
        changes (from where the files are, ie. /usr/lib/news...) into
        the files in $INN/site.  (You may find that due to the bug
        fixes and new features in this release, you may not need to
        change any of the scripts, just the configuration files).
        Finally, doing "make install" will install everything.

    After installing any of the patches or updates, ensure that you
    restart your INN server."

3.2 Apply Patches

    James Brister, the current maintainer of INN, has made available
    security patches for common versions of INN that address the
    vulnerability described in this advisory.

    For INN 1.5:

        ftp://ftp.isc.org/isc/inn/patches/security-patch.01

    For INN 1.4sec:

	ftp://ftp.isc.org/isc/inn/patches/security-patch.02

    For INN 1.4unoff3, 1.4unoff4:

	ftp://ftp.isc.org/isc/inn/patches/security-patch.03

    A README file and associated MD5 checksums for the above patches can
    be found at:

	ftp://ftp.isc.org/isc/inn/patches/

3.3 Vendor information

    CERT/CC released an advisory (CA-97.08) containing specific vendor
    information that was not available when AUSCERT Advisory AA-96.19 was
    first released.  Sites should review this advisory for specific vendor
    information.  This advisory can be retrieved from:

    ftp://ftp.auscert.org.au/pub/cert/cert_advisories/CA-97.08.innd
    ftp://ftp.cert.org/pub/cert_advisories/CA-97.08.innd 

- ---------------------------------------------------------------------------
AUSCERT thanks James Brister of the Internet Software Consortium for his
rapid response to this vulnerability.  AUSCERT also acknowledges Matt
Power from MIT for his initial report of the problem and CERT/CC for their
assistance.
- ---------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures.  AUSCERT takes no responsibility for the
consequences of applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AUSCERT is located at The University of Queensland within the Prentice
Centre.  AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 4477
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History

 6 Jan 1997     Updated Section 3 to include information on the new 
		version of INN (currently 1.5.1) which fixes the
		vulnerability described in this advisory.

13 Mar 1997     Updated Section 3 to include CERT/CC CA-97.08.innd with 
                vendors information.

19 Mar 1997	Updated Section 3 to include current patch information
		and warning regarding installation of new versions of INN.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBMy/IsCh9+71yA2DNAQFFHgP/SU3KFCBaOZx9G7O+UwRCZuBQUqCGsQem
5KkS7kAffzfHtxPZa5Wjmp/K/A4Kyq8mrt0NDKaw4oNbUFmCCf4DBnHdw7F2LSBX
17Kpd0pDedpF7gKzE1zsMo8tdFQ4JvItcz6ue8rCHSUf9HYF0+a7to09Ihx9vmbT
Qb+EHKqsFZ8=
=02EO
-----END PGP SIGNATURE-----