-----BEGIN PGP SIGNED MESSAGE-----

===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Olav ten Bosch                              Index  :    S-96-78
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : Vulnerability in INN                        Date   :  11-Dec-96
===============================================================================

By courtesy of AUSCERT we received information on a vulnerability
in INN (InterNetNews).

CERT-NL recommends to apply the vendor patches mentioned below.

==============================================================================

AA-96.19                        AUSCERT Advisory
   INN parsecontrol Vulnerability
                                10 December 1996

Last Revised: --

- - ---------------------------------------------------------------------------

AUSCERT has received information that a vulnerability exists in all
versions of INN (InterNetNews) up to and including 1.5.  This
vulnerability allows intruders to execute arbitrary commands on the news
server by sending a carefully crafted news control message.  These commands
will be executed using the privileges of the user configured to run the INN
software (usually "news").

Information concerning this vulnerability has been widely released.

- - ---------------------------------------------------------------------------

1.  Description

    All versions of INN (up to and including 1.5) contain a security
    vulnerability.  This vulnerability allows remote users to execute
    arbitrary commands on the news server by sending it a carefully crafted
    news control message.  These commands will be executed using the
    privileges of the user configured to run the INN software (usually
    "news").  This may be further leveraged to gain root access, depending
    on the configuration of the operating system and the INN software.

    As this is a vulnerability based upon the content of the news message,
    it is possible to attack news servers that are located behind firewalls
    and other boundary protection systems if the control message is passed
    through to the server.

    The version of INN running on the system can be determined by
    connecting to the nntp port (119) of the news server:

        % telnet localhost 119
 200 a.b.c InterNetNews server INN 1.5 28-Nov-1996 ready

    Type "quit" to exit.

2.  Impact

    Remote users may be able to execute arbitrary commands on the news
    server with the privileges of the user configured to run the INN
    software (usually "news").

    This may be further leveraged to gain root access depending on the
    configuration of the operating system and the INN software.

3.  Workarounds/Solution

    AUSCERT recommends that news servers running the vulnerable versions
    of INN should limit the possible exploitation of this vulnerability
    by immediately applying the vendor patches listed in Section 3.1.

3.1 Apply Vendor Patches

    James Brister, the current maintainer of INN, has made available
    security patches for common versions of INN that address the
    vulnerability described in this advisory.

    For INN versions 1.4unoff3, 1.4unoff4 and 1.5:

        ftp://ftp.vix.com/pub/inn/patches/security-patch.01

    For INN version 1.4sec:

 ftp://ftp.vix.com/pub/inn/patches/security-patch.02

    The MD5 checksums for these patches are:

        MD5 (security-patch.01) = 06131a3d1f4cf19d7d1e664c10306fa8
 MD5 (security-patch.02) = 3a964ba0b2b2baf678ef554c67bb28f2

    AUSCERT recommends sites running previous versions of INN upgrade to
    the latest version of INN (version 1.5) and then apply
    security-patch.01.

    More information regarding the current release of INN can be found at:

 http://www.isc.org/isc/inn.html

- - ---------------------------------------------------------------------------
AUSCERT thanks James Brister of the Internet Software Consortium for his
rapid response to this vulnerability.  AUSCERT also acknowledges Matt
Power from MIT for his initial report of the problem.
==============================================================================

CERT-NL is the Computer Emergency Response Team for SURFnet customers.
SURFnet is the Dutch network for educational, research and related institutes.
CERT-NL is a member of the Forum of Incident Response and Security Teams
(FIRST).

All CERT-NL material is available under:
  http://www.surfnet.nl/surfnet/security/cert-nl.html
  ftp://ftp.surfnet.nl/surfnet/net-security

In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet
customer please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
   Email:     cert-nl@surfnet.nl
   Phone:     +31 302 305 305
   Fax:       +31 302 305 329
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands
   A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST
   members on request.
==============================================================================


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMq6YbmL2fnkJN/jpAQF0OAP+InvQE4+75EyYayFIJ3oBsxnaCRoVpYw7
FKnmMqhRnBtt2gm8RhEMRzFTsNK3lNuWWx3VDwvrTvAfM2euXzOCnLWIbXgr2C4x
77lkeAZOv8zzVwoR7qJGKgQjKtETGkftWBwFRi2Ij76KzBCF+J5yBzKeuJrJdTvU
y6a5L6rlYPQ=
=5kay
-----END PGP SIGNATURE-----