INN1.4sec on Linux

[okir () monad swb de (Olaf Kirch)]

Hello,

here's a message I just posted to linux-security. Forgive me if it has
been discussed on bugtraq before, but several INN packages for Linux
still seem to be vulnerable.

Olaf

-----BEGIN PGP SIGNED MESSAGE-----


Hi all,

there's a problem with INN1.4sec as distributed on sunsite and probably
a number of Linux distributions. Control messages are parsed by shell
scripts, which (at least for some shells) allow remote users to execute
arbitrary commands on your news host. I tested this problem with bash
1.13.1-CWRU; other shells may or may not allow this kind of attack.

The problem involves putting `...` or $(...) commands in certain header
fields (Control, From, and Subject), and possibly the body (newgroup
messages). According to Rich Salz, this has been discussed on Usenet
already; the suggested fix is to use tr to filter out unwanted characters.
Please test out the patch attached below; if you find any problem with it,
please mail me as soon as possible. Otherwise, I will post a message to
linux-alert concerning this in a day or two. (The patch also adds a missing
sed filter for mailx tilde escapes).

A second problem I came across has to do with rnews. If you have rnews
installed, users may execute any commands by faking certain types of
news batches. rnews feeds these batches to small shell scripts below
LIBDIR/bin/rnews for unpacking, passing on the entire environment given
to it by the calling process--including PATH and IFS. The sample c7unbatcgh
script included in the distribution is not aware of this situation, and
executes `decode | /bin/compress -d'.  A possible fix for this may be to
insert the following lines at the top of these scripts:

: IFS=" "
: PATH=/bin:/usr/bin
: . /usr/lib/news/innshellvars
: PATH=${RNEWS}:/bin:/usr/bin

Alternatively, you may want to simply set IFS to " " and invoke all
programs using their full pathnames.

While you're at it, you may also wish to make sure that TMPDIR points
to a directory accessible only to news, for instance SPOOLDIR/tmp. INN
shell scripts create a hell of a lot of tempfiles with names such
as inp$$, art$$, and so on, which can be fooled quite easily. The TMPDIR
variable is set in LIBDIR/innshellvars.

Best wishes
Olaf
- --
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
             For my PGP public key, finger okir () brewhq swb de.
******************************************************************
******** patch for INN. Indented to avoid pgp garbling ***********
******************************************************************
 --- parsecontrol.old   Fri Sep 15 10:24:35 1995
 +++ parsecontrol       Fri Sep 15 10:36:30 1995
 @@ -6,9 +6,12 @@
  . /usr/lib/news/innshellvars
  WRITELOG=${NEWSBIN}/writelog

 +# Avoid `...` and $(...) in headers. These seem to be safe
 +GOODCHARS="[A-Za-z0-9_: <@>!\"'\$\010\012-]"
 +
  AZ=ABCDEFGHIJKLMNOPQRSTUVWXYZ
  az=abcdefghijklmnopqrstuvwxyz
 -FROM="`echo \"$1\" | tr ${AZ} ${az}`"
 +FROM="`echo \"$1\" | tr ${AZ} ${az} | tr -cd \"${GOODCHARS}\"`"
  REPLYTO="$2"
  case "$3" in
  "")
 @@ -29,20 +32,23 @@
  test -z "${PROG}" && PROG=all
  ${EGREP} "^(${PROG}|all):" <${CTLFILE} >${TEMP}

 +ART=${TMPDIR}/art$$
 +tr -cd "${GOODCHARS}" < ${ARTICLE} > ${ART}
 +
  ##  Get any arguments.
 -if grep "^Control:[   ]*${PROG}" <${ARTICLE} >/dev/null 2>&1 ; then
 -    set X `${SED} -n -e "s/^Control:[         ]*${PROG}//p" -e '/^$/q' <${ARTICLE}`
 +if grep "^Control:[   ]*${PROG}" <${ART} >/dev/null 2>&1 ; then
 +    set X `${SED} -n -e "s/^Control:[         ]*${PROG}//p" -e '/^$/q' <${ART}`
      shift
  else
      if grep "^Subject:[       ]*cmsg[         ]*${PROG}" \
 -              <${ARTICLE} >/dev/null 2>&1 ; then
 +              <${ART} >/dev/null 2>&1 ; then
        set X `${SED} -n -e "s/^Subject:[       ]*cmsg[         ]*${PROG}//p" \
 -              -e '/^$/q' <${ARTICLE}`
 +              -e '/^$/q' <${ART}`
        shift
      else
 -      rm -f ${TEMP}
 -      ${MAILCMD} -s "Bad header by ${FROM}" \
 -              ${NEWSMASTER} <${ARTICLE}
 +      ${SED} -e 's/^~/~~/' <${ART} | \
 +              ${MAILCMD} -s "Bad header by ${FROM}" ${NEWSMASTER}
 +      rm -f ${TEMP} ${ART}
        exit
      fi
  fi
 @@ -70,7 +76,7 @@
      ;;
      esac"
  done
 -rm -f ${TEMP}
 +rm -f ${TEMP} ${ART}
  IFS="`echo stn | tr stn ' \011\012'`"

  LOGFILE=mail
 --- bin/control/newgroup.old   Fri Sep 15 10:50:56 1995
 +++ bin/control/newgroup       Fri Sep 15 10:50:05 1995
 @@ -3,6 +3,7 @@
  ##  Newgroup control-message handler

  PROG=newgroup
 +GOODCHARS="[A-Za-z0-9_: <@>!\"'\$\010\012-]"

  ##  Some shells don't pass in $* unless we explicitly pass it in here.
  ##  =()<. @<_PATH_PARSECTL>@ "$@">()=
 @@ -127,7 +128,7 @@
  p
  q
  }
 -b scan"`
 +b scan" | tr -cd "${GOODCHARS}"`
  test -z "${DESC}" && {
      DESC=`${EGREP} "^$1       " ${NEWSGROUPS} | ${SED} "s/[   ]*(Moderated)//"`
      test -z "${DESC}" && DESC="$1     ?"
******************************************************************

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAgUBMF1RauFnVHXv40etAQGg/QP+La/8giuHSpVODbYM4PhrOqYldWdHjxH2
F5bjgSDvI6/4Cw7xaLVirEbfqMgTacJBEq5TJ/Ddgtls4WGsA3JLMsaBXltF7u5/
66o7/cvOgXCfpTi09WGgyL6Ns/4dej5s89FF7qrYhUb6kPbdjsxQfbobwhorsPFv
z92AldoUKg4=
=p2HJ
-----END PGP SIGNATURE-----