[2249] in bugtraq
INN1.4sec on Linux
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Mon Sep 18 21:02:57 1995
Date: Mon, 18 Sep 1995 13:05:25 +0200
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Olaf Kirch <okir@monad.swb.de>
X-To: bugtraq@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
Hello,
here's a message I just posted to linux-security. Forgive me if it has
been discussed on bugtraq before, but several INN packages for Linux
still seem to be vulnerable.
Olaf
-----BEGIN PGP SIGNED MESSAGE-----
Hi all,
there's a problem with INN1.4sec as distributed on sunsite and probably
a number of Linux distributions. Control messages are parsed by shell
scripts, which (at least for some shells) allow remote users to execute
arbitrary commands on your news host. I tested this problem with bash
1.13.1-CWRU; other shells may or may not allow this kind of attack.
The problem involves putting `...` or $(...) commands in certain header
fields (Control, From, and Subject), and possibly the body (newgroup
messages). According to Rich Salz, this has been discussed on Usenet
already; the suggested fix is to use tr to filter out unwanted characters.
Please test out the patch attached below; if you find any problem with it,
please mail me as soon as possible. Otherwise, I will post a message to
linux-alert concerning this in a day or two. (The patch also adds a missing
sed filter for mailx tilde escapes).
A second problem I came across has to do with rnews. If you have rnews
installed, users may execute any commands by faking certain types of
news batches. rnews feeds these batches to small shell scripts below
LIBDIR/bin/rnews for unpacking, passing on the entire environment given
to it by the calling process--including PATH and IFS. The sample c7unbatcgh
script included in the distribution is not aware of this situation, and
executes `decode | /bin/compress -d'. A possible fix for this may be to
insert the following lines at the top of these scripts:
: IFS=" "
: PATH=/bin:/usr/bin
: . /usr/lib/news/innshellvars
: PATH=${RNEWS}:/bin:/usr/bin
Alternatively, you may want to simply set IFS to " " and invoke all
programs using their full pathnames.
While you're at it, you may also wish to make sure that TMPDIR points
to a directory accessible only to news, for instance SPOOLDIR/tmp. INN
shell scripts create a hell of a lot of tempfiles with names such
as inp$$, art$$, and so on, which can be fooled quite easily. The TMPDIR
variable is set in LIBDIR/innshellvars.
Best wishes
Olaf
- --
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
******************************************************************
******** patch for INN. Indented to avoid pgp garbling ***********
******************************************************************
--- parsecontrol.old Fri Sep 15 10:24:35 1995
+++ parsecontrol Fri Sep 15 10:36:30 1995
@@ -6,9 +6,12 @@
. /usr/lib/news/innshellvars
WRITELOG=${NEWSBIN}/writelog
+# Avoid `...` and $(...) in headers. These seem to be safe
+GOODCHARS="[A-Za-z0-9_: <@>!\"'\$\010\012-]"
+
AZ=ABCDEFGHIJKLMNOPQRSTUVWXYZ
az=abcdefghijklmnopqrstuvwxyz
-FROM="`echo \"$1\" | tr ${AZ} ${az}`"
+FROM="`echo \"$1\" | tr ${AZ} ${az} | tr -cd \"${GOODCHARS}\"`"
REPLYTO="$2"
case "$3" in
"")
@@ -29,20 +32,23 @@
test -z "${PROG}" && PROG=all
${EGREP} "^(${PROG}|all):" <${CTLFILE} >${TEMP}
+ART=${TMPDIR}/art$$
+tr -cd "${GOODCHARS}" < ${ARTICLE} > ${ART}
+
## Get any arguments.
-if grep "^Control:[ ]*${PROG}" <${ARTICLE} >/dev/null 2>&1 ; then
- set X `${SED} -n -e "s/^Control:[ ]*${PROG}//p" -e '/^$/q' <${ARTICLE}`
+if grep "^Control:[ ]*${PROG}" <${ART} >/dev/null 2>&1 ; then
+ set X `${SED} -n -e "s/^Control:[ ]*${PROG}//p" -e '/^$/q' <${ART}`
shift
else
if grep "^Subject:[ ]*cmsg[ ]*${PROG}" \
- <${ARTICLE} >/dev/null 2>&1 ; then
+ <${ART} >/dev/null 2>&1 ; then
set X `${SED} -n -e "s/^Subject:[ ]*cmsg[ ]*${PROG}//p" \
- -e '/^$/q' <${ARTICLE}`
+ -e '/^$/q' <${ART}`
shift
else
- rm -f ${TEMP}
- ${MAILCMD} -s "Bad header by ${FROM}" \
- ${NEWSMASTER} <${ARTICLE}
+ ${SED} -e 's/^~/~~/' <${ART} | \
+ ${MAILCMD} -s "Bad header by ${FROM}" ${NEWSMASTER}
+ rm -f ${TEMP} ${ART}
exit
fi
fi
@@ -70,7 +76,7 @@
;;
esac"
done
-rm -f ${TEMP}
+rm -f ${TEMP} ${ART}
IFS="`echo stn | tr stn ' \011\012'`"
LOGFILE=mail
--- bin/control/newgroup.old Fri Sep 15 10:50:56 1995
+++ bin/control/newgroup Fri Sep 15 10:50:05 1995
@@ -3,6 +3,7 @@
## Newgroup control-message handler
PROG=newgroup
+GOODCHARS="[A-Za-z0-9_: <@>!\"'\$\010\012-]"
## Some shells don't pass in $* unless we explicitly pass it in here.
## =()<. @<_PATH_PARSECTL>@ "$@">()=
@@ -127,7 +128,7 @@
p
q
}
-b scan"`
+b scan" | tr -cd "${GOODCHARS}"`
test -z "${DESC}" && {
DESC=`${EGREP} "^$1 " ${NEWSGROUPS} | ${SED} "s/[ ]*(Moderated)//"`
test -z "${DESC}" && DESC="$1 ?"
******************************************************************
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAgUBMF1RauFnVHXv40etAQGg/QP+La/8giuHSpVODbYM4PhrOqYldWdHjxH2
F5bjgSDvI6/4Cw7xaLVirEbfqMgTacJBEq5TJ/Ddgtls4WGsA3JLMsaBXltF7u5/
66o7/cvOgXCfpTi09WGgyL6Ns/4dej5s89FF7qrYhUb6kPbdjsxQfbobwhorsPFv
z92AldoUKg4=
=p2HJ
-----END PGP SIGNATURE-----
