-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Peter Jurg Index : S-97-59 Distribution : World Page : 1 Classification: External Version: 1 Subject : INN News Server Vulnerabilities Date : 25-Jul-97 =============================================================================== By courtesy of Secure Networks Inc. we received information on a vulnerability in INN News servers (all versions prior to 1.6). CERT-NL recommends to follow the fix Information described below. ============================================================================== INN news server vulnerabilities This advisory addresses a number of vulnerabilities present in all versions of INN prior to version 1.6. Problem Description: A number of vulnerabilities exist in all versions of INN prior to version 1.6 which allow remote individuals to obtain access to vulnerable systems. Post access is required to exploit these vulnerabilities. However, due to the method with which news is propagated, once a single server has been broken into, all of its peers can be accessed. Technical Details: A number of string copies within the INN news server fail to check the size of data they are copying. This results in buffer overflows in several locations, allowing individuals to execute commands remotely, including spawning a shell on the NNTP port. An example of this situation is in the processing of the "From: " line by the nnrpd process. In the ARTpost function in post.c, the From: line is copied into a buffer on the stack without performing bounds checking: STRING ARTpost(article, idbuff) ... char buff[NNTP_STRLEN + 2], frombuf[SMBUF]; ... strcpy(frombuf, HDR(_from)); ... By crafting appropriate arguments in the From: header of the message, an attacker can cause nnrpd to overwrite its stack, overwrite the function return pointer on the stack, and thus execute arbitrary binary code. Vulnerable Operating Systems and Software All versions of INN prior to version 1.6 are vulnerable. To determine which version of INN you are running, issue the following command on your news server: % telnet localhost 119 Your NNTP server version string will be displayed. A typical output from a vulnerable NNTP server would read: Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 200 freebsd.secnet.com InterNetNews NNRP server INN 1.5.1 17-Dec-1996 ready A line reading: telnet: Unable to connect to remote host: Connection refused means that you are not running an NNTP server. Fix Information INN version 1.6 has been made availible at ftp://ftp.isc.org/isc/inn. A fix will not be made availible for prior releases and it is suggested that all users running INN upgrade to version 1.6 immediately. Please note that INN version 1.6 is currently in beta testing stages, therefore new versions may appear at this location in the future. ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS Phone: +31 302 305 305 BUSINESS HOURS ONLY Fax: +31 302 305 329 BUSINESS HOURS ONLY Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands NOODGEVALLEN: 06 52 87 92 82 ALTIJD BEREIKBAAR EMERGENCIES : +31 6 52 87 92 82 ATTENDED AT ALL TIMES CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES: THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0 for non-commercial use Charset: noconv iQCVAwUBM9hq5UU5nQkWIq1FAQEmjgP/WrtjBtdwEfv0miYALucVAfPkkwlBvzXY uwQYO6W3albWOaIAMGsIGL9C1oPGIOsJ0qvdlB0den4Sbw2hJqQ5sxZHpnXjPQ7+ pE3S5IEI0wq0MCrh0B5ISzz5LnEQFrMKtznaQe4R6154u59Zv03ZI+KiDRnwl73k nLXm7d1O2aE= =clj8 -----END PGP SIGNATURE-----