From owner-freebsd-security Mon Dec 9 23:05:53 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id XAA21772 for security-outgoing; Mon, 9 Dec 1996 23:05:53 -0800 (PST) Received: from precipice.shockwave.com (ppp-206-170-5-197.rdcy01.pacbell.net [206.170.5.197]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id XAA21767 for ; Mon, 9 Dec 1996 23:05:45 -0800 (PST) Received: from shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.8.4/8.7.3) with ESMTP id XAA00476 for ; Mon, 9 Dec 1996 23:05:42 -0800 (PST) Resent-Message-Id: <199612100705.XAA00476@precipice.shockwave.com> Delivery-Date: Mon, 09 Dec 1996 22:02:38 -0800 Received: from weychopee.shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.8.4/8.7.3) with SMTP id WAA02377 for ; Mon, 9 Dec 1996 22:02:36 -0800 (PST) Received: from weychopee for pst with Cubic Circle's cucipop (v1.10 1996/09/06) Mon Dec 9 22:02:45 1996 X-From_: owner-first-teams@lists.Stanford.EDU Mon Dec 9 20:18:41 1996 Received: (from uucp@localhost) by weychopee.shockwave.com (8.7.6/8.7.3) with UUCP id UAA08980 for pst@weychopee.shockwave.com; Mon, 9 Dec 1996 20:15:10 -0800 Received: from ns2.harborcom.net (root@ns2.harborcom.net [206.158.4.4]) by insecurity.shockwave.com (8.8.3/8.8.3) with ESMTP id UAA00811 for ; Mon, 9 Dec 1996 20:08:57 -0800 (PST) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.18]) by ns2.harborcom.net (8.8.3/8.8.3) with ESMTP id XAA15112 for ; Mon, 9 Dec 1996 23:08:48 -0500 (EST) Received: from lists.Stanford.EDU (lists.Stanford.EDU [36.190.0.65]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id UAA05573 for ; Mon, 9 Dec 1996 20:08:36 -0800 (PST) Received: (from daemon@localhost) by lists.Stanford.EDU (8.7.5/8.7.1) id UAA03743 for first-teams-outgoing; Mon, 9 Dec 1996 20:02:41 -0800 (PST) Received: from onyx.auscert.org.au (onyx0.auscert.org.au [203.5.112.10]) by lists.Stanford.EDU (8.7.5/8.7.1) with ESMTP id UAA03738 for ; Mon, 9 Dec 1996 20:02:32 -0800 (PST) Received: from amethyst.auscert.org.au (amethyst.auscert.org.au [203.5.112.218]) by onyx.auscert.org.au (8.8.4/8.8.4) with ESMTP id OAA05736 for ; Tue, 10 Dec 1996 14:02:30 +1000 (EST) Received: from localhost (localhost [127.0.0.1]) by amethyst.auscert.org.au (8.8.3/8.8.0) with SMTP id OAA13975; Tue, 10 Dec 1996 14:02:27 +1000 (EST) Message-Id: <199612100402.OAA13975@amethyst.auscert.org.au> X-Authentication-Warning: amethyst.auscert.org.au: localhost [127.0.0.1] didn't use HELO protocol Pgp-Action: none; rfc822=off From: auscert@auscert.org.au To: first-teams@first.org Subject: (PUBLIC RELEASE) AUSCERT Advisory AA-96.19 INN parsecontrol Vulnerability cc: auscert@auscert.org.au Organization: AUSCERT (Australian Computer Emergency Response Team) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 10 Dec 1996 14:02:26 +1000 Reply-To: auscert@auscert.org.au X-restrictions: DO NOT REDISTRIBUTE BEYOND FIRST MEMBERS UNLESS THE AUTHOR OF THIS MESSAGE GRANTS EXPRESS PERMISSION TO REDISTRIBUTE Resent-To: security@freebsd.org Resent-Date: Mon, 09 Dec 1996 23:05:42 -0800 Resent-From: Paul Traina Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AA-96.19 AUSCERT Advisory INN parsecontrol Vulnerability 10 December 1996 Last Revised: -- - --------------------------------------------------------------------------- AUSCERT has received information that a vulnerability exists in all versions of INN (InterNetNews) up to and including 1.5. This vulnerability allows intruders to execute arbitrary commands on the news server by sending a carefully crafted news control message. These commands will be executed using the privileges of the user configured to run the INN software (usually "news"). Information concerning this vulnerability has been widely released. - --------------------------------------------------------------------------- 1. Description All versions of INN (up to and including 1.5) contain a security vulnerability. This vulnerability allows remote users to execute arbitrary commands on the news server by sending it a carefully crafted news control message. These commands will be executed using the privileges of the user configured to run the INN software (usually "news"). This may be further leveraged to gain root access, depending on the configuration of the operating system and the INN software. As this is a vulnerability based upon the content of the news message, it is possible to attack news servers that are located behind firewalls and other boundary protection systems if the control message is passed through to the server. The version of INN running on the system can be determined by connecting to the nntp port (119) of the news server: % telnet localhost 119 200 a.b.c InterNetNews server INN 1.5 28-Nov-1996 ready Type "quit" to exit. 2. Impact Remote users may be able to execute arbitrary commands on the news server with the privileges of the user configured to run the INN software (usually "news"). This may be further leveraged to gain root access depending on the configuration of the operating system and the INN software. 3. Workarounds/Solution AUSCERT recommends that news servers running the vulnerable versions of INN should limit the possible exploitation of this vulnerability by immediately applying the vendor patches listed in Section 3.1. 3.1 Apply Vendor Patches James Brister, the current maintainer of INN, has made available security patches for common versions of INN that address the vulnerability described in this advisory. For INN versions 1.4unoff3, 1.4unoff4 and 1.5: ftp://ftp.vix.com/pub/inn/patches/security-patch.01 For INN version 1.4sec: ftp://ftp.vix.com/pub/inn/patches/security-patch.02 The MD5 checksums for these patches are: MD5 (security-patch.01) = 06131a3d1f4cf19d7d1e664c10306fa8 MD5 (security-patch.02) = 3a964ba0b2b2baf678ef554c67bb28f2 AUSCERT recommends sites running previous versions of INN upgrade to the latest version of INN (version 1.5) and then apply security-patch.01. More information regarding the current release of INN can be found at: http://www.isc.org/isc/inn.html - --------------------------------------------------------------------------- AUSCERT thanks James Brister of the Internet Software Consortium for his rapid response to this vulnerability. AUSCERT also acknowledges Matt Power from MIT for his initial report of the problem. - --------------------------------------------------------------------------- The AUSCERT team have made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AUSCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au/. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team c/- Prentice Centre The University of Queensland Brisbane Qld. 4072. AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBMq1l3Sh9+71yA2DNAQFvjgP9EPxKnVG+hccZWhMDUz6vuCnpK9aOZoHl n88+KefS/NnDfwoR4OQfkoKeY2PlaXDspCAZpOruTQuC66PoRnKPCzSsBeu7y53n 3cox/NR22T1P7WzOVOtVAcpGgG2xsAO1f0E4cKau3mKReg7DHMXwDCIpjfrtkIfD sOawerKUyH0= =Whvi -----END PGP SIGNATURE----- -+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+ This message was posted through the FIRST mailing list server. if you wish to unsubscribe from this mailing list, send the message body of "unsubscribe first-teams" to first-majordomo@FIRST.ORG -+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+