copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
» AA-96.19 -- INN parsecontrol Vulnerability
AA-96.19 -- INN parsecontrol Vulnerability
Date:
19 March 1997
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AA-96.19 AUSCERT Advisory INN parsecontrol Vulnerability 10 December 1996 Last Revised: 19 March 1997 Updated INN patch information and locations. Added warning regarding the installation of INN. - --------------------------------------------------------------------------- AUSCERT has received information that a vulnerability exists in all versions of INN (InterNetNews) up to and including 1.5. This vulnerability allows intruders to execute arbitrary commands on the news server by sending a carefully crafted news control message. These commands will be executed using the privileges of the user configured to run the INN software (usually "news"). Information concerning this vulnerability has been widely released. - --------------------------------------------------------------------------- 1. Description All versions of INN (up to and including 1.5) contain a security vulnerability. This vulnerability allows remote users to execute arbitrary commands on the news server by sending it a carefully crafted news control message. These commands will be executed using the privileges of the user configured to run the INN software (usually "news"). This may be further leveraged to gain root access, depending on the configuration of the operating system and the INN software. As this is a vulnerability based upon the content of the news message, it is possible to attack news servers that are located behind firewalls and other boundary protection systems if the control message is passed through to the server. The version of INN running on the system can be determined by connecting to the nntp port (119) of the news server: % telnet localhost 119 200 a.b.c InterNetNews server INN 1.5 28-Nov-1996 ready Type "quit" to exit. 2. Impact Remote users may be able to execute arbitrary commands on the news server with the privileges of the user configured to run the INN software (usually "news"). This may be further leveraged to gain root access depending on the configuration of the operating system and the INN software. 3. Workarounds/Solution AUSCERT recommends that sites using the vulnerable versions of INN should limit the possible exploitation of this vulnerability by immediately installing the current version of INN (Section 3.1) or applying patches (Section 3.2). Sites using vendor versions of INN should review CA-97.08 (Section 3.3). 3.1 Install Current Version AUSCERT recommends sites using versions of INN previous to 1.5.1 upgrade to the current version immediately. The vulnerability described in this advisory was fixed in version 1.5.1 of INN. More information regarding the current release of INN, and where it can be retrieved, can be found at: http://www.isc.org/isc/inn.html Sites are encouraged to make sure they have installed INN according to the recommended instructions. CERT/CC warns: "If you are upgrading to INN 1.5.1, please be sure to read the README file carefully. Note that if you are upgrading to 1.5.1 from a previous release, running a "make update" alone is not sufficient to ensure that all of the vulnerable scripts are replaced (e.g., parsecontrol). Please especially note the following from the INN 1.5.1 distribution README file: When updating from a previous release, you will usually want to do "make update" from the top-level directory; this will only install the programs. To update your scripts and config files, cd into the "site" directory and do "make clean" -- this will remove any files that are unchanged from the official release. Then do "make diff >diff"; this will show you what changes you will have to merge in. Now merge in your changes (from where the files are, ie. /usr/lib/news...) into the files in $INN/site. (You may find that due to the bug fixes and new features in this release, you may not need to change any of the scripts, just the configuration files). Finally, doing "make install" will install everything. After installing any of the patches or updates, ensure that you restart your INN server." 3.2 Apply Patches James Brister, the current maintainer of INN, has made available security patches for common versions of INN that address the vulnerability described in this advisory. For INN 1.5: ftp://ftp.isc.org/isc/inn/patches/security-patch.01 For INN 1.4sec: ftp://ftp.isc.org/isc/inn/patches/security-patch.02 For INN 1.4unoff3, 1.4unoff4: ftp://ftp.isc.org/isc/inn/patches/security-patch.03 A README file and associated MD5 checksums for the above patches can be found at: ftp://ftp.isc.org/isc/inn/patches/ 3.3 Vendor information CERT/CC released an advisory (CA-97.08) containing specific vendor information that was not available when AUSCERT Advisory AA-96.19 was first released. Sites should review this advisory for specific vendor information. This advisory can be retrieved from: ftp://ftp.auscert.org.au/pub/cert/cert_advisories/CA-97.08.innd ftp://ftp.cert.org/pub/cert_advisories/CA-97.08.innd - --------------------------------------------------------------------------- AUSCERT thanks James Brister of the Internet Software Consortium for his rapid response to this vulnerability. AUSCERT also acknowledges Matt Power from MIT for his initial report of the problem and CERT/CC for their assistance. - --------------------------------------------------------------------------- The AUSCERT team have made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AUSCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au/. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team c/- Prentice Centre The University of Queensland Brisbane Qld. 4072. AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History 6 Jan 1997 Updated Section 3 to include information on the new version of INN (currently 1.5.1) which fixes the vulnerability described in this advisory. 13 Mar 1997 Updated Section 3 to include CERT/CC CA-97.08.innd with vendors information. 19 Mar 1997 Updated Section 3 to include current patch information and warning regarding installation of new versions of INN. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBMy/IsCh9+71yA2DNAQFFHgP/SU3KFCBaOZx9G7O+UwRCZuBQUqCGsQem 5KkS7kAffzfHtxPZa5Wjmp/K/A4Kyq8mrt0NDKaw4oNbUFmCCf4DBnHdw7F2LSBX 17Kpd0pDedpF7gKzE1zsMo8tdFQ4JvItcz6ue8rCHSUf9HYF0+a7to09Ihx9vmbT Qb+EHKqsFZ8= =02EO -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=1&it=1872