The first vulnerability we will discuss involves the INN daemon (or, innd process). The INN daemon processes "newsgroup" and "rmgroup" control messages in a shell script, the name of which is parsecontrol, that uses the shell's eval command. It is possible to pass information to the eval command in the body of a news message (such information may be actual commands which will be executed on the system). This is possible due to the fact that the information passed to eval, in certain circumstances, is not adequately checked for characters that are special to the shell.
This means, of course, that anyone who is able to send messages to an INN server, almost anyone with Usenet access, may potentially be able to execute arbitrary commands on the server on which INN resides. These commands will run with the uid and privileges of the innd process on that server (thus, if innd runs as root, any arbitrary commands will execute with root privileges). As these specially formatted news messages are usually passed right through a firewall to a news server, systems hosting innd behind a firewall are still vulnerable to this type of attack. Also, as the commands are executed before the system does authorization checking, programs such as pgpverify will not prevent this problem.
The second vulnerability we will discuss is similar to, but not the same as, the vulnerability discussed above. This problem is found in INN and also in ucbmail (a program typically configured as INN's default mailer). As in the vulnerability described above, this problem also concerns specially formatted messages which contain, in the body of the message, certain shell "metacharacters". Normally, INN will perform checks for, and remove, these metacharacters from data in control messages. However, in certain circumstances these checks are inadequate, and these metacharacters are passed on "as-is" to the ucbmail mailer program. ucbmail, which lacks the capability to do metacharacter checking, passes these metacharacters on to the shell, where they are processed. Using these metacharacters, a malicious user may have the ability to execute commands on the system hosting INN. For instance, the user may decide to overwrite the system's password file, run background processes that collect information or even, in worst case scenarios, delete the contents of that system's root file system.
If the version of INN that is being run is earlier than 1.6, the surest fix is to upgrade to version 1.6 or later!. You may always find the latest version of INN at the Internet Software Consortium's (ISC) INN Site. ISC is the primary developer of INN.
If it is not practical to upgrade to version 1.6 or later at this time, and you are running a version of INN previous to version 1.5.1, then it is strongly recommended that you at least upgrade to version 1.5.1 (this link will take you to the ISC ftp site, which is often reorganized as newer versions of INN are released. If you need any help navigating through this site, please contact ISC). When upgrading to version 1.5.1, please be sure to read the README file carefully. Once you have upgraded to version 1.5.1, you must then install Security-Patch.05. This patch will protect your INN installation from the vulnerabilities discussed in this brief, and others as well. However, it would be wise to visit the ISC INN site from time to time to keep abreast of any emerging security issues relating to INN version 1.5.1, and also to download and install any relevant patches that may become available.
If you choose not to upgrade to either version 1.5.1, 1.6 or a later version of INN, please be aware that you will be vulnerable to certain exploits. Patches are available for some versions earlier than 1.5.1, but not all (for example, INN version 1.4sec2 has no patch for the exploits discussed above). These patches may be found at the ISC INN site. And, as always, it is always a good idea to check with your appropriate OS vendor to learn about any OS-specific security issues.