Bugtraq mailing list archives
Re: ANNOUNCE: INN 1.5
From: mhpower () athena mit edu (Matt Power)
Date: Wed, 4 Dec 1996 21:59:46 -0600
In article <yy3ybfks8kj.fsf () velo pp vix com>, James Brister <brister () vix com> wrote:
I'm pleased to announce the first full release of an ISC sponsored version of INN (version 1.5).
INN 1.5 contains a serious remotely exploitable security hole. I would not recommend using this version as released. The security hole allows outsiders to execute arbitrary commands on your news server, by embedding the commands in the headers of control messages. This security hole still exists even if your control.ctl file disallows all automatic group creation, or if your control.ctl file is set up to run the pgpverify program on control messages. Also, it doesn't matter whether outsiders have TCP connectivity to your news server, only that their news articles can reach your server somehow. Outsiders' access will have the uid of innd (often username "news"). This is the same issue I posted about in news.software.nntp on 7 July 1995 <3tjsk4$fu8 () senator-bedfellow MIT EDU>. This security hole also exists in previous versions of INN, including INN 1.4 and (to the best of my knowledge) "inn1.4unoff4", although I have not installed or used any of the "inn1.4unoff" packages myself. I think the attached patch will fix this problem for INN 1.5. I also suspect that the changes it makes will have essentially the same effect on versions of INN based on 1.4. For the INN 1.4 release, it also should fix an unrelated problem associated with text mailed by the rmgroup script possibly having a line-initial ~ generated by echo "${FROM} requested that ${P1} be removed." (This is a different ~ problem than the one in "1.4sec" or "1.4sec2".) This ~ issue is the only reason I know of that the patch below is preferable to the patch I posted in 1995. However, the patch below is possibly more consistent with the INN 1.5 code, in terms of how strings are checked and how restrictive the character set is for strings manipulated by a script that uses the sh "eval" command. Matt *** parsecontrol.old Fri Nov 29 18:32:18 1996 --- parsecontrol Tue Dec 3 01:50:43 1996 *************** *** 15,21 **** az=abcdefghijklmnopqrstuvwxyz ZN=0123456789 # Attempt to sanitize the address ! FROM="`echo \"$1\" | tr ${AZ} ${az} | tr -dc ${az}${ZN}+-_.@%`" REPLYTO="$2" case "$3" in "") --- 15,21 ---- az=abcdefghijklmnopqrstuvwxyz ZN=0123456789 # Attempt to sanitize the address ! FROM="`echo \"$1\" | tr ${AZ} ${az} | tr -dc \\\055${az}${ZN}+_.@%`" REPLYTO="$2" case "$3" in "") *************** *** 55,60 **** --- 55,76 ---- writelog $MOST_LOGS/badcontrol.log "`date` Bad header by ${FROM}" exit fi + fi + + # Check characters in values of variables that will be inside an eval + TRANS1="`echo \"$1\" | tr ${AZ} ${az} | tr -dc \\\055${az}${ZN}+_.`" + if [ ${1}X != ${TRANS1}X ]; then + rm -f ${TEMP} + ${SED} -e 's/^~/~~/' < ${ARTICLE} \ + | ${MAILCMD} -s "Malformed newsgroup name by ${FROM}" ${NEWSMASTER} + exit + fi + TRANSP="`echo \"$PROG\" | tr ${AZ} ${az} | tr -dc \\\055${az}${ZN}+_.`" + if [ ${PROG}X != ${TRANSP}X ]; then + rm -f ${TEMP} + ${SED} -e 's/^~/~~/' < ${ARTICLE} \ + | ${MAILCMD} -s "Unexpected program name by ${FROM}" ${NEWSMASTER} + exit fi ACTION=mail
Current thread:
- Re: ANNOUNCE: INN 1.5 Matt Power (Dec 04)
- <Possible follow-ups>
- Re: ANNOUNCE: INN 1.5 Dave Hayes (Dec 05)