INND Version Vulnerability

CVE 1999-0043
CVE 1999-0100
CVE 1999-0705
CVE 1999-0868

Summary

Several versions of innd have a variety of vulnerabilities (versions below 1.6).

Impact

Malicious users exploiting these vulnerabilities may be able to gain unauthorized access, possibly even root access, to a target system, and may also be able to execute arbitrary commands on the system on which the innd process is running. These commands will be executed with the same privileges as the innd (INN daemon) process. Systems running innd behind a firewall may also, in many cases, be vulnerable.

The Problems

As stated earlier, versions of innd below 1.6 contain a variety of vulnerabilities. These include buffer overflow vulnerabilities (by which a malicious user may be able to gain root access), as well as vulnerabilities allowing anyone with access to the system running innd to execute arbitrary commands on that system. While only a few of these exploits will be discussed here, please keep in mind that the fix for all of the vulnerabilities found in innd below version 1.6 is to upgrade to version 1.6 or greater! If upgrading to version 1.6 is not practical for you at this time, you may also apply patches for the various problems associated with innd (see below for more information on these patches).

CVE 1999-0043

The first vulnerability we will discuss involves the INN daemon (or, innd process). The INN daemon processes "newsgroup" and "rmgroup" control messages in a shell script, the name of which is parsecontrol, that uses the shell's eval command. It is possible to pass information to the eval command in the body of a news message (such information may be actual commands which will be executed on the system). This is possible due to the fact that the information passed to eval, in certain circumstances, is not adequately checked for characters that are special to the shell.

This means, of course, that anyone who is able to send messages to an INN server, almost anyone with Usenet access, may potentially be able to execute arbitrary commands on the server on which INN resides. These commands will run with the uid and privileges of the innd process on that server (thus, if innd runs as root, any arbitrary commands will execute with root privileges). As these specially formatted news messages are usually passed right through a firewall to a news server, systems hosting innd behind a firewall are still vulnerable to this type of attack. Also, as the commands are executed before the system does authorization checking, programs such as pgpverify will not prevent this problem.

CVE 1999-0868

The second vulnerability we will discuss is similar to, but not the same as, the vulnerability discussed above. This problem is found in INN and also in ucbmail (a program typically configured as INN's default mailer). As in the vulnerability described above, this problem also concerns specially formatted messages which contain, in the body of the message, certain shell "metacharacters". Normally, INN will perform checks for, and remove, these metacharacters from data in control messages. However, in certain circumstances these checks are inadequate, and these metacharacters are passed on "as-is" to the ucbmail mailer program. ucbmail, which lacks the capability to do metacharacter checking, passes these metacharacters on to the shell, where they are processed. Using these metacharacters, a malicious user may have the ability to execute commands on the system hosting INN. For instance, the user may decide to overwrite the system's password file, run background processes that collect information or even, in worst case scenarios, delete the contents of that system's root file system.

Resolution

The first step is to determine if you are vulnerable to the exploits discussed above (and others depending on which version of INN is being run). To do so, first connect (using telnet, for example) to port 119 of the system running your news server (this is the standard NNTP port). Once you have successfully connected, you will see a line of text. In this line of text you will see listed the version number of the INN program that is being used. For example, you might see text similar to this: In the above example, we can see that the version number is 1.4, which means, of course, that it is vulnerable to the attacks discussed above. Once you have determined which version of INN is being hosted on the system, simply type "quit" to exit the connection.

If the version of INN that is being run is earlier than 1.6, the surest fix is to upgrade to version 1.6 or later!. You may always find the latest version of INN at the Internet Software Consortium's (ISC) INN Site. ISC is the primary developer of INN.

If it is not practical to upgrade to version 1.6 or later at this time, and you are running a version of INN previous to version 1.5.1, then it is strongly recommended that you at least upgrade to version 1.5.1 (this link will take you to the ISC ftp site, which is often reorganized as newer versions of INN are released. If you need any help navigating through this site, please contact ISC). When upgrading to version 1.5.1, please be sure to read the README file carefully. Once you have upgraded to version 1.5.1, you must then install Security-Patch.05. This patch will protect your INN installation from the vulnerabilities discussed in this brief, and others as well. However, it would be wise to visit the ISC INN site from time to time to keep abreast of any emerging security issues relating to INN version 1.5.1, and also to download and install any relevant patches that may become available.

If you choose not to upgrade to either version 1.5.1, 1.6 or a later version of INN, please be aware that you will be vulnerable to certain exploits. Patches are available for some versions earlier than 1.5.1, but not all (for example, INN version 1.4sec2 has no patch for the exploits discussed above). These patches may be found at the ISC INN site. And, as always, it is always a good idea to check with your appropriate OS vendor to learn about any OS-specific security issues.

Where can I read more about this?

You may read more about the INN vulnerability on CERT's INN Vulnerability Advisory page. This is an excellent source of information for the vulnerabilities discussed in this briefing. It includes links to patches for most versions of INN, as well as copious amounts of information from various OS vendors. Internet Software Consortium's (ISC) INN Site should be, as a rule, visited on a regular basis if you are running INN. Other good sources of information for INN vulnerabilities/issues include Bugtraq and Mib Software's INN Site. Also, a standard search on any Web search site (such as Infoseek or Yahoo) using the keyword innd should return a wealth of information on this topic.