Re: ANNOUNCE: INN 1.5

[mhpower () athena mit edu (Matt Power)]

In article <yy3ybfks8kj.fsf () velo pp vix com>,
James Brister  <brister () vix com> wrote:
> I'm pleased to announce the first full release of an ISC sponsored version
> of INN (version 1.5).

INN 1.5 contains a serious remotely exploitable security hole. I would
not recommend using this version as released.

The security hole allows outsiders to execute arbitrary commands on
your news server, by embedding the commands in the headers of control
messages. This security hole still exists even if your control.ctl
file disallows all automatic group creation, or if your control.ctl
file is set up to run the pgpverify program on control messages. Also,
it doesn't matter whether outsiders have TCP connectivity to your news
server, only that their news articles can reach your server somehow.
Outsiders' access will have the uid of innd (often username "news").

This is the same issue I posted about in news.software.nntp on 7 July
1995 <3tjsk4$fu8 () senator-bedfellow MIT EDU>. This security hole also
exists in previous versions of INN, including INN 1.4 and (to the best
of my knowledge) "inn1.4unoff4", although I have not installed or used
any of the "inn1.4unoff" packages myself.

I think the attached patch will fix this problem for INN 1.5. I also
suspect that the changes it makes will have essentially the same
effect on versions of INN based on 1.4. For the INN 1.4 release, it
also should fix an unrelated problem associated with text mailed by
the rmgroup script possibly having a line-initial ~ generated by

   echo "${FROM} requested that ${P1} be removed."

(This is a different ~ problem than the one in "1.4sec" or "1.4sec2".)

This ~ issue is the only reason I know of that the patch below is
preferable to the patch I posted in 1995. However, the patch below is
possibly more consistent with the INN 1.5 code, in terms of how
strings are checked and how restrictive the character set is for
strings manipulated by a script that uses the sh "eval" command.

Matt

*** parsecontrol.old    Fri Nov 29 18:32:18 1996
--- parsecontrol        Tue Dec  3 01:50:43 1996
***************
*** 15,21 ****
  az=abcdefghijklmnopqrstuvwxyz
  ZN=0123456789
  # Attempt to sanitize the address
! FROM="`echo \"$1\" | tr ${AZ} ${az} | tr -dc ${az}${ZN}+-_.@%`"
  REPLYTO="$2"
  case "$3" in
  "")
--- 15,21 ----
  az=abcdefghijklmnopqrstuvwxyz
  ZN=0123456789
  # Attempt to sanitize the address
! FROM="`echo \"$1\" | tr ${AZ} ${az} | tr -dc \\\055${az}${ZN}+_.@%`"
  REPLYTO="$2"
  case "$3" in
  "")
***************
*** 55,60 ****
--- 55,76 ----
             writelog $MOST_LOGS/badcontrol.log "`date` Bad header by ${FROM}"
        exit
      fi
+ fi
+
+ # Check characters in values of variables that will be inside an eval
+ TRANS1="`echo \"$1\" | tr ${AZ} ${az} | tr -dc \\\055${az}${ZN}+_.`"
+ if [ ${1}X != ${TRANS1}X ]; then
+     rm -f ${TEMP}
+     ${SED} -e 's/^~/~~/' < ${ARTICLE} \
+         | ${MAILCMD} -s "Malformed newsgroup name by ${FROM}" ${NEWSMASTER}
+     exit
+ fi
+ TRANSP="`echo \"$PROG\" | tr ${AZ} ${az} | tr -dc \\\055${az}${ZN}+_.`"
+ if [ ${PROG}X != ${TRANSP}X ]; then
+     rm -f ${TEMP}
+     ${SED} -e 's/^~/~~/' < ${ARTICLE} \
+         | ${MAILCMD} -s "Unexpected program name by ${FROM}" ${NEWSMASTER}
+     exit
  fi

  ACTION=mail