SNI-16: INN News Server Security Advisory

Secure Networks Inc. (sni@SILENCE.SECNET.COM)
Mon, 21 Jul 1997 14:47:50 -0600

-----BEGIN PGP SIGNED MESSAGE-----

###### ## ## ######
## ### ## ##
###### ## # ## ##
## ## ### ##
###### . ## ## . ######.

Secure Networks Inc.

Security Advisory
July 21, 1997

INN news server vulnerabilities

This advisory addresses a number of vulnerabilities present in all
versions of INN prior to version 1.6.

Problem Description:
~~~~~~~~~~~~~~~~~~~~

A number of vulnerabilities exist in all versions of INN prior to
version 1.6 which allow remote individuals to obtain access to
vulnerable systems. Post access is required to exploit these
vulnerabilities. However, due to the method with which news is
propagated, once a single server has been broken into, all of its
peers can be accessed.

Technical Details:
~~~~~~~~~~~~~~~~~~

A number of string copies within the INN news server fail to check
the size of data they are copying. This results in buffer overflows
in several locations, allowing individuals to execute commands
remotely, including spawning a shell on the NNTP port.

An example of this situation is in the processing of the "From: "
line by the nnrpd process. In the ARTpost function in post.c, the
From: line is copied into a buffer on the stack without performing
bounds checking:

STRING
ARTpost(article, idbuff)
...
char buff[NNTP_STRLEN + 2], frombuf[SMBUF];
...
strcpy(frombuf, HDR(_from));
...

By crafting appropriate arguments in the From: header of the message,
an attacker can cause nnrpd to overwrite its stack, overwrite
the function return pointer on the stack, and thus execute arbitrary
binary code.

Vulnerable Operating Systems and Software
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

All versions of INN prior to version 1.6 are vulnerable. To determine
which version of INN you are running, issue the following command on
your news server:

% telnet localhost 119

Your NNTP server version string will be displayed. A typical output from
a vulnerable NNTP server would read:

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
200 freebsd.secnet.com InterNetNews NNRP server INN 1.5.1 17-Dec-1996 ready

A line reading:

telnet: Unable to connect to remote host: Connection refused

means that you are not running an NNTP server.

Fix Information
~~~~~~~~~~~~~~~

INN version 1.6 has been made availible at ftp://ftp.isc.org/isc/inn. A
fix will not be made availible for prior releases and it is suggested that
all users running INN upgrade to version 1.6 immediately.

Please note that INN version 1.6 is currently in beta testing stages,
therefore new versions may appear at this location in the future.

Additional Information
~~~~~~~~~~~~~~~~~~~~~~

Secure Networks Inc. wishes to thanks James Brister <brister@isc.org> for
his assistance in this advisory and a resolution to these problems.

You can contact Secure Networks Inc. at <sni@secnet.com> using the
following PGP key:

Type Bits/KeyID Date User ID
pub 1024/9E55000D 1997/01/13 Secure Networks Inc. <sni@secnet.com>
Secure Networks <security@secnet.com>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5
uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa
rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR
tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM1yd
EB/bLKAOe7p9AQFptAQAiYpaZCpSmGgr05E698Z3t5r5BPAKUEtgvF53AvZUQLxz
ZsYsVU5l5De0qKWJOQ/9LiDyWu1lvKhlTphbLy2RatWD4kO3oQL9v3TpSXm2WQhU
uIzyZvj7S5ENodNnKn+gCDIvbou6OMot+7dRbWWgN2oabbru4CSlOxbG++yaTz+J
AJUDBRAzTefbtOXez5VgyLkBAd0bA/43eGEgvPOFK+HHWCPpkSWCwtrtDU/dxOVz
9erHnT/CRxeojCI+50f71Qe+kvx9Q1odz2Jl/fLxhnPQdbPnpWblIbu4F8H+Syrj
HTilDrl1DWa/nUNgK8sb27SMviELczP1a8gwA1eo5SUCG5TWLLTAzjWOgTxod2Ha
OwseUHmqVIkAlQMFEDNOVsr/d6Iw8NVIbQEBxM0D/14XRfgSLwszgJcVbslMHm/B
fF6tHoWYojzQle3opOuMYHNN8GsMZRkc1qQ8QuNA9Aj5+qDqEontGjV5IvhBu1fY
FM77AhagskaFCZxwqV64Qrk328WDO89NGSd+RuovVNruDdn20TxNCEVuPTHjI0UA
8H+E6FW9jexg6RTHhPXYtCVTZWN1cmUgTmV0d29ya3MgPHNlY3VyaXR5QHNlY25l
dC5jb20+iQCVAwUQMtqTKB/bLKAOe7p9AQFw5wQAgUwqJ+ZqfEy/lO1srU3nzxLA
X0uHGHrMptRy/LFo8swD6G1TtWExUc3Yv/6g2/YK09b5WmplEJ+Q09maQIw+RU/s
cIY+EsPauqIq4JTGh/Nm0Z4UDl2Y1x4GNtm0YqezxUPS0P0A3LHVLJ3Uo5og0G8O
gPNrfbVz5ieT14OSCWCJAJUDBRAy2hd2/3eiMPDVSG0BAVNhBACfupfAcNhhnQaq
aI03DOOiZSRjvql1xw4V+pPhM+IksdSK3YNUZVJJtANacgDhBT+jAPRaYbBWI3A5
ZMdcSNM8aTG0LWMLIOiOYEm6Lgd3idRBFN0Js08eyITl8mhZ33mDe4I0KQri9UiV
ZcPYTbb9CWM6Hv2cMbt6S6kLnFziqIkAlQMFEDLaF0+4CIRSnlUADQEBCLoEAJwt
UofDgvyZ4nCDx1KKAPkkXBRaPMWBp46xeTVcxaYiloZfwHfpk1h2mEJAxmAsvizl
OtIppHl4isUxcGi/E2mLCLMvis22/IQP/9obPahPvgNaMLVtZljO1Nv3QFEkNciL
FEUTNJHR1ko7ibCxkBs4cOpirFuvTMDvWnNaXAf8
=DchE
- -----END PGP PUBLIC KEY BLOCK-----

You can find past Secure Networks advisories at
http://www.secnet.com/advisories or at ftp://ftp.secnet.com/pub/advisories

You can browse our web site at http://www.secnet.com

You can subscribe to our security advisory mailing list by sending
mail to majordomo@secnet.com with the line "subscribe sni-advisories"

Copyright Notice
~~~~~~~~~~~~~~~~

The contents of this advisory are Copyright (C) 1997 Secure Networks
Inc, and may be distributed freely provided that no fee is charged
for distribution, and that proper credit is given.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBM9PVqbgIhFKeVQANAQGUagQAqnL7UA63jBHVjENXgB9+wMxoiCXZD0Me
a4ZtLdw2EYTs9Pk9XylCjyqsLzG/O3yb//xkAaBZ3FVuraiunIC8oNt/o/BWZptO
dYNUG8EJsrQE9Ea/rtJuX8F63ZJfGMTzGGEVzZm6Ue35mS1x6oyrrPeV7kfnXdaw
MyWwElgzYI0=
=pZI6
-----END PGP SIGNATURE-----