[Search for users]
[Overall Top Noters]
[List of all Conferences]
[Download this site]
| Title: | SEAL |
|
| Moderator: | GALVIA::SMITH |
|
| Created: | Mon Mar 21 1994 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 1989 |
| Total number of notes: | 8209 |
1877.0. "CERT advisory on NEWS attack..." by NCMAIL::SMITHB () Tue Mar 18 1997 15:53
-----BEGIN PGP SIGNED MESSAGE-----
- ---------------------------------------------------------------------------
CERT(sm) Summary CS-97.02 - SPECIAL EDITION
March 18, 1997
This special edition of the CERT Summary highlights widespread, large-scale
attacks that are occurring against news servers.
Past CERT Summaries are available from
ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------
Current activity - attacks on news servers
- ------------------------------------------
The CERT Coordination Center and incident response teams around the world have
received numerous reports concerning widespread, large-scale attacks on NNTP
(Network News Transport Protocol) servers throughout the world. NNTP servers
are commonly referred to as USENET news servers.
The activity involves an attempt to exploit a vulnerability in versions of
INN (InterNetNews) prior to 1.5.1. We have received reports that version 1.5.1
was thought to be vulnerable; however, as far as we are able to determine, it
is not.
INN is a commonly used software program for serving and managing news
according to the NNTP protocol. This vulnerability allows remote users to
execute arbitrary commands on the news server with the same privileges as
the user-id that manages the news server. As of 8:00 am EST (GMT -5),
March 18, 1997, it appears that the most common activity is to attempt to mail
the password file and configuration files to a remote site.
Because of the nature of USENET news, messages are passed automatically from
one site to another. The exploitation involves a particular kind of message,
known as a control message. Intruders can construct and post control messages
in such a way as to exploit the vulnerability. Because of this, your site may
have been compromised even if it was not specifically selected by an intruder.
Information about the vulnerability, along with information about patches and
workarounds, is available from
ftp://info.cert.org/pub/cert_advisories/CA-97.08.innd
If we receive further information, we will update this advisory.
We encourage sites that are running INN 1.5 or earlier to upgrade to
INN 1.5.1 as soon as possible.
James Brister, the current maintainer of INN, has provided additional
information regarding the update to INN 1.5.1; this information has been added
to the advisory. James has provided the following patches for INN version 1.5,
1.4sec, 1.4unoff3, and 1.4unoff4:
ftp://ftp.isc.org/isc/inn/patches/security-patch.01 1.5
ftp://ftp.isc.org/isc/inn/patches/security-patch.02 1.4sec
ftp://ftp.isc.org/isc/inn/patches/security-patch.03 1.4unoff3, 1.4unoff4
The directory includes MD5 checksums for each patch.
Information regarding INN patches may be found at
http://www.isc.org/inn.html
System administrators who did not update to INN 1.5.1 before Friday,
March 14, 1997, should take the following steps:
* Examine your news logs for signs of exploitation. So far, we
have reports of at least six distinct message IDs being used:
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
Although these messages appear to come from UUNET, the messages
were forged.
If these message IDs appear in your logs, it is highly likely that
these control messages reached your news server. Moreover, it is
almost certain that additional messages will be (or already have been)
crafted by intruders, so checking for those message IDs is not enough.
* If you discover that your password file has been mailed to an intruder
and you are not using a shadow password mechanism (or another password
mechanism such as Kerberos), you should consider changing all the
passwords on your systems.
We encourage you to examine the following documents for further
security information:
ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist
This document will help you methodically check your systems
for signs of compromise, and offers pointers to other resources
and suggestions on how to proceed in the event of a compromise.
ftp://info.cert.org/pub/tech_tips/root_compromise
This document outlines steps you can take to help recover from
a root compromise and to secure your systems from further
compromise.
ftp://info.cert.org/pub/tech_tips/UNIX_configuration_guidelines
This document will help you avoid common problems that can lead
to compromises on UNIX systems, and provides a general framework
for configuring UNIX systems.
ftp://info.cert.org/pub/tech_tips/security_tools
This document provides a list of tools that can help you
to monitor your systems for signs of compromise and to
monitor activity on your systems and networks.
ftp://info.cert.org/pub/tech_tips/passwd_file_protection
This document describes ways in which you can protect your
password file from unauthorized access.
* Examine your news server for unauthorized processes running as the
news user. Several of the malicious NNTP control messages include a
script that attempts to establish an outgoing telnet session to another
location. Typically, sites with firewalls permit outbound telnet
connections.
* We have several reports of sites that have attempted to check their
own exposure to this vulnerability and have inadvertently released
control messages to the Internet that exploit this vulnerability. We
strongly discourage sites from using control messages as a way to
measure exposure to this vulnerability. To determine if your NNTP
server is vulnerable, we recommend that you follow the steps outlined
in Section I of advisory CA-97.08. If you have accidentally released
such a message, we encourage you to notify any vulnerable sites that
you discover through feedback from your test message. Please include
[email protected] in the CC line of the messages you exchange.
* If you discover that you have been compromised as a result of this
vulnerability and you have a representative in FIRST, we encourage you
to contact them directly. To locate your representative in the FIRST
community, please see
http://www.first.org/
* If you do not have a representative in FIRST, we encourage you to
report to the CERT Coordination Center. In order to help us assess
the 'big picture,' please include the following information:
- Your name and contact information
- The domain name of your news server
- The NNTP server software you run, including version number
- A copy of the control message(s) if you have it
- Any additional pertinent information
In accordance with our policies, we will not release information about
your site without your explicit permission.
Due to the large volume of mail we are receiving regarding this
activity, we may not be able to follow up all reports
individually. Nonetheless, your report will help us to understand the
activity better and to provide more accurate information to the
Internet community at large.
We would like to express our thanks to James Brister for his assistance in
preparing this summary.
- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email [email protected]
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
[email protected]
In the subject line, type
SUBSCRIBE your-email-address
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
http://www.cert.org/
ftp://info.cert.org/pub/
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
- ---------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.
CERT is a service mark of Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMy6k4nVP+x0t4w7BAQFZWQQAicB4ZaxN9Eu7R2d9KHD3QHVmaZcNilir
JOU00lV5Tzc626VsnCgE/Er4ptC27iSBlzTAYgJa/VSAHnqDW/VF2nzBGluIkIwD
hnRbZn49QdKzyN8PtNt7I2dY58V7EpbQsOH+tCbdcGsYlEe+sKaAR9NNSEgceGwl
WA70HTTvVK4=
=YbSQ
-----END PGP SIGNATURE-----
| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 1877.1 | INN control.ctl file | KYOSS1::MONTARE | Alex Montare | Tue Mar 18 1997 20:22 | 18 |
| Several of our customers where we have installed News servers such as
INN have asked how they can prevent automatically responding to control
messages. Usually this is because they only want a certain select set
of newsgroups and the "add group" control messages they recieve would
quickly grow that list.
INN uses a file called control.ctl to determine the response (if any) to
recieved control messages. Out of the box, several control messages
cause groups to be automatically added, deleted, etc. In most cases
where the customer wants a "static" news configuration, I've changed the
action field to "mail" which causes a mail message to be sent to the
news administrator without performing the requested action. Then the
news admin can periodically review the mail messages and decide whether
to add or delete the newsgroup in question.
Since I haven't ftp'd the file with the details of this attack, I can't
be sure if this is the attack mechanism, but it bears mentioning in any
case when discussing News server security.
|