Bugtraq mailing list archives
INN1.4sec on Linux
From: okir () monad swb de (Olaf Kirch)
Date: Mon, 18 Sep 1995 13:05:25 +0200
Hello, here's a message I just posted to linux-security. Forgive me if it has been discussed on bugtraq before, but several INN packages for Linux still seem to be vulnerable. Olaf -----BEGIN PGP SIGNED MESSAGE----- Hi all, there's a problem with INN1.4sec as distributed on sunsite and probably a number of Linux distributions. Control messages are parsed by shell scripts, which (at least for some shells) allow remote users to execute arbitrary commands on your news host. I tested this problem with bash 1.13.1-CWRU; other shells may or may not allow this kind of attack. The problem involves putting `...` or $(...) commands in certain header fields (Control, From, and Subject), and possibly the body (newgroup messages). According to Rich Salz, this has been discussed on Usenet already; the suggested fix is to use tr to filter out unwanted characters. Please test out the patch attached below; if you find any problem with it, please mail me as soon as possible. Otherwise, I will post a message to linux-alert concerning this in a day or two. (The patch also adds a missing sed filter for mailx tilde escapes). A second problem I came across has to do with rnews. If you have rnews installed, users may execute any commands by faking certain types of news batches. rnews feeds these batches to small shell scripts below LIBDIR/bin/rnews for unpacking, passing on the entire environment given to it by the calling process--including PATH and IFS. The sample c7unbatcgh script included in the distribution is not aware of this situation, and executes `decode | /bin/compress -d'. A possible fix for this may be to insert the following lines at the top of these scripts: : IFS=" " : PATH=/bin:/usr/bin : . /usr/lib/news/innshellvars : PATH=${RNEWS}:/bin:/usr/bin Alternatively, you may want to simply set IFS to " " and invoke all programs using their full pathnames. While you're at it, you may also wish to make sure that TMPDIR points to a directory accessible only to news, for instance SPOOLDIR/tmp. INN shell scripts create a hell of a lot of tempfiles with names such as inp$$, art$$, and so on, which can be fooled quite easily. The TMPDIR variable is set in LIBDIR/innshellvars. Best wishes Olaf - -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okir () monad swb de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax For my PGP public key, finger okir () brewhq swb de. ****************************************************************** ******** patch for INN. Indented to avoid pgp garbling *********** ****************************************************************** --- parsecontrol.old Fri Sep 15 10:24:35 1995 +++ parsecontrol Fri Sep 15 10:36:30 1995 @@ -6,9 +6,12 @@ . /usr/lib/news/innshellvars WRITELOG=${NEWSBIN}/writelog +# Avoid `...` and $(...) in headers. These seem to be safe +GOODCHARS="[A-Za-z0-9_: <@>!\"'\$\010\012-]" + AZ=ABCDEFGHIJKLMNOPQRSTUVWXYZ az=abcdefghijklmnopqrstuvwxyz -FROM="`echo \"$1\" | tr ${AZ} ${az}`" +FROM="`echo \"$1\" | tr ${AZ} ${az} | tr -cd \"${GOODCHARS}\"`" REPLYTO="$2" case "$3" in "") @@ -29,20 +32,23 @@ test -z "${PROG}" && PROG=all ${EGREP} "^(${PROG}|all):" <${CTLFILE} >${TEMP} +ART=${TMPDIR}/art$$ +tr -cd "${GOODCHARS}" < ${ARTICLE} > ${ART} + ## Get any arguments. -if grep "^Control:[ ]*${PROG}" <${ARTICLE} >/dev/null 2>&1 ; then - set X `${SED} -n -e "s/^Control:[ ]*${PROG}//p" -e '/^$/q' <${ARTICLE}` +if grep "^Control:[ ]*${PROG}" <${ART} >/dev/null 2>&1 ; then + set X `${SED} -n -e "s/^Control:[ ]*${PROG}//p" -e '/^$/q' <${ART}` shift else if grep "^Subject:[ ]*cmsg[ ]*${PROG}" \ - <${ARTICLE} >/dev/null 2>&1 ; then + <${ART} >/dev/null 2>&1 ; then set X `${SED} -n -e "s/^Subject:[ ]*cmsg[ ]*${PROG}//p" \ - -e '/^$/q' <${ARTICLE}` + -e '/^$/q' <${ART}` shift else - rm -f ${TEMP} - ${MAILCMD} -s "Bad header by ${FROM}" \ - ${NEWSMASTER} <${ARTICLE} + ${SED} -e 's/^~/~~/' <${ART} | \ + ${MAILCMD} -s "Bad header by ${FROM}" ${NEWSMASTER} + rm -f ${TEMP} ${ART} exit fi fi @@ -70,7 +76,7 @@ ;; esac" done -rm -f ${TEMP} +rm -f ${TEMP} ${ART} IFS="`echo stn | tr stn ' \011\012'`" LOGFILE=mail --- bin/control/newgroup.old Fri Sep 15 10:50:56 1995 +++ bin/control/newgroup Fri Sep 15 10:50:05 1995 @@ -3,6 +3,7 @@ ## Newgroup control-message handler PROG=newgroup +GOODCHARS="[A-Za-z0-9_: <@>!\"'\$\010\012-]" ## Some shells don't pass in $* unless we explicitly pass it in here. ## =()<. @<_PATH_PARSECTL>@ "$@">()= @@ -127,7 +128,7 @@ p q } -b scan"` +b scan" | tr -cd "${GOODCHARS}"` test -z "${DESC}" && { DESC=`${EGREP} "^$1 " ${NEWSGROUPS} | ${SED} "s/[ ]*(Moderated)//"` test -z "${DESC}" && DESC="$1 ?" ****************************************************************** -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBMF1RauFnVHXv40etAQGg/QP+La/8giuHSpVODbYM4PhrOqYldWdHjxH2 F5bjgSDvI6/4Cw7xaLVirEbfqMgTacJBEq5TJ/Ddgtls4WGsA3JLMsaBXltF7u5/ 66o7/cvOgXCfpTi09WGgyL6Ns/4dej5s89FF7qrYhUb6kPbdjsxQfbobwhorsPFv z92AldoUKg4= =p2HJ -----END PGP SIGNATURE-----
Current thread:
- load.root (loadmodule hole) der Mouse (Sep 15)
- Re: load.root (loadmodule hole) Urban (Sep 15)
- Re: load.root (loadmodule hole) Fred Blonder (Sep 15)
- Re: load.root (loadmodule hole) Pat The Friendly RedNeck (Sep 15)
- Re: load.root (loadmodule hole) Urban (Sep 18)
- INN1.4sec on Linux Olaf Kirch (Sep 18)
- Re: INN1.4sec on Linux Dave Barr (Sep 25)
- Re: load.root (loadmodule hole) Fred Blonder (Sep 15)
- <Possible follow-ups>
- Re: load.root (loadmodule hole) Brad Powell (Sep 15)
- Re: load.root (loadmodule hole) Karl Strickland (Sep 17)
- Re: load.root (loadmodule hole) Casper Dik (Sep 26)
- Re: load.root (loadmodule hole) Brad Powell (Sep 16)
- Re: load.root (loadmodule hole) Dave Mitchell (Sep 18)
- Re: load.root (loadmodule hole) Urban (Sep 15)