IMPORTANT: Security problem with ucbmail when used with INN news server

IMPORTANT: Security problem with ucbmail when used with INN news server

Post by Matt Pow » Thu, 17 Apr 1997 04:00:00



I've found a new security problem with the ucbmail program when used
with any version of the INN news server. Please note that this new
problem is completely unrelated to the one addressed by the April 4
CERT advisory (ftp://ftp.cert.org/pub/cert_advisories/CA-97.08.innd).
Even if you are running INN 1.5.1 and have read and acted on that
advisory, your news server may still process certain control messages
in a way that allows execution of arbitrary commands by remote users.

The problem only affects specific versions of the ucbmail program. The
ucbmail behavior that results in the vulnerability has been confirmed
only for NEXTSTEP 3.3, NEXTSTEP 3.2, and BSD 4.3 (admittedly it's
unlikely that many sites are using BSD 4.3 on their news server).
Additionally, on these systems, the vulnerability becomes exploitable
if INN's innshellvars file sets the variable MAILCMD to either
/usr/ucb/Mail or /usr/ucb/mail. (This is a very common setting.)

I think that ISC plans to remove this vulnerability in the next INN
release by eliminating INN's dependency on the ucbmail program, or by
some other major change to how control messages are processed. In the
meantime, those whose news-server machines are currently vulnerable
may wish to apply the patch included at the end of this message. This
patch is an entirely unsupported temporary workaround. However, I
would recommend that anyone using INN on NEXTSTEP apply this patch. I
don't know of any harm that would be caused by applying this patch on
other platforms, but it hasn't yet been tested on other platforms.

The intent of the patch is to prevent any ~ characters from being
included in the input that INN's shell scripts present to the ucbmail
program. You may notice in the man page the statement "Tilde escapes
are only recognized at the beginning of lines." -- however, there's a
bug in many versions of ucbmail that makes this statement not strictly
true. For this bug to be important in the context of INN, it must also
be true that the ucbmail program has the property that it processes
tilde escapes even if the return value of isatty(0) is zero. This
property is present in a number of versions of ucbmail, apparently
including some for which the man page explicitly claims otherwise.

*** checkgroups.old     Tue Dec 17 09:40:40 1996
--- checkgroups Wed Apr 16 02:18:52 1997
***************
*** 23,25 ****
        echo '-EOF-'
!     ) | sed -e 's/^~/~~/' | ${MAILCMD} -s "checkgroups by ${FROM}" ${NEWSMASTER}
      ;;
--- 23,25 ----
        echo '-EOF-'
!     ) | sed -e 's/~/%7e/g' | ${MAILCMD} -s "checkgroups by ${FROM}" ${NEWSMASTER}
      ;;

*** default.old Tue Dec 17 09:40:40 1996
--- default     Wed Apr 16 02:18:53 1997
***************
*** 12,14 ****
  mail)
!     sed -e 's/^~/~~/' <${ARTICLE} \
          | ${MAILCMD} -s "Unknown control message by ${FROM}" ${NEWSMASTER}
--- 12,14 ----
  mail)
!     sed -e 's/~/%7e/g' <${ARTICLE} \
          | ${MAILCMD} -s "Unknown control message by ${FROM}" ${NEWSMASTER}

*** ihave.old   Tue Dec 17 09:40:40 1996
--- ihave       Wed Apr 16 02:18:53 1997
***************
*** 11,13 ****
  mail)
!     sed -e 's/^~/~~/' <${ARTICLE} \
        | ${MAILCMD} -s "ihave by ${FROM}" ${NEWSMASTER}
--- 11,13 ----
  mail)
!     sed -e 's/~/%7e/g' <${ARTICLE} \
        | ${MAILCMD} -s "ihave by ${FROM}" ${NEWSMASTER}

*** innwatch.old        Tue Dec 17 09:40:40 1996
--- innwatch    Wed Apr 16 02:18:53 1997
***************
*** 316,318 ****
            ) 2>&1 \
!             | sed -e 's/^~/~~/' \
            | ${MAILCMD} -s "${PROGNAME} warning: messages in ${LOGFILE}" \
--- 316,318 ----
            ) 2>&1 \
!             | sed -e 's/~/%7e/g' \
            | ${MAILCMD} -s "${PROGNAME} warning: messages in ${LOGFILE}" \

*** news.daily.old      Tue Dec 17 09:40:40 1996
--- news.daily  Wed Apr 16 02:18:54 1997
***************
*** 345,347 ****
      MAIL="${MAILCMD} -s \"${MAILSUBJ}\" ${NEWSMASTER}"
!     test -s ${TEMP} && cat ${TEMP} | sed -e 's/^~/~~/' | eval ${MAIL}
      rm -f ${TEMP}
--- 345,347 ----
      MAIL="${MAILCMD} -s \"${MAILSUBJ}\" ${NEWSMASTER}"
!     test -s ${TEMP} && cat ${TEMP} | sed -e 's/~/%7e/g' | eval ${MAIL}
      rm -f ${TEMP}

*** parsecontrol.old    Tue Dec 17 09:40:40 1996
--- parsecontrol        Wed Apr 16 02:18:54 1997
***************
*** 56,58 ****
        if $MAILFAILURES; then
!               ${SED} -e 's/^~/~~/' < ${ARTICLE} \
                        | ${MAILCMD} -s "Bad header by ${FROM}" ${NEWSMASTER}
--- 56,58 ----
        if $MAILFAILURES; then
!               ${SED} -e 's/~/%7e/g' < ${ARTICLE} \
                        | ${MAILCMD} -s "Bad header by ${FROM}" ${NEWSMASTER}
***************
*** 70,72 ****
      if $MAILFAILURES; then
!       ${SED} -e 's/^~/~~/' < ${ARTICLE} \
            | ${MAILCMD} -s "Malformed newsgroup name by ${FROM}" ${NEWSMASTER}
--- 70,72 ----
      if $MAILFAILURES; then
!       ${SED} -e 's/~/%7e/g' < ${ARTICLE} \
            | ${MAILCMD} -s "Malformed newsgroup name by ${FROM}" ${NEWSMASTER}
***************
*** 82,84 ****
      if $MAILFAILURES; then
!       ${SED} -e 's/^~/~~/' < ${ARTICLE} \
            | ${MAILCMD} -s "Unexpected program name by ${FROM}" ${NEWSMASTER}
--- 82,84 ----
      if $MAILFAILURES; then
!       ${SED} -e 's/~/%7e/g' < ${ARTICLE} \
            | ${MAILCMD} -s "Unexpected program name by ${FROM}" ${NEWSMASTER}

*** rmgroup.old Tue Dec 17 09:40:40 1996
--- rmgroup     Wed Apr 16 02:18:54 1997
***************
*** 27,29 ****
        echo 'The full article was:'
!       sed -e 's/^~/~~/' ${ARTICLE}
      ) | ${MAILCMD} -s "rmgroup $1 by ${FROM}" ${NEWSMASTER}
--- 27,29 ----
        echo 'The full article was:'
!       sed -e 's/~/%7e/g' ${ARTICLE}
      ) | ${MAILCMD} -s "rmgroup $1 by ${FROM}" ${NEWSMASTER}

*** sendme.old  Tue Dec 17 09:40:40 1996
--- sendme      Wed Apr 16 02:18:54 1997
***************
*** 11,13 ****
  mail)
!     sed -e 's/^~/~~/' <${ARTICLE} \
        | ${MAILCMD} -s "sendme by ${FROM}" ${NEWSMASTER}
--- 11,13 ----
  mail)
!     sed -e 's/~/%7e/g' <${ARTICLE} \
        | ${MAILCMD} -s "sendme by ${FROM}" ${NEWSMASTER}

*** sendsys.old Tue Dec 17 09:40:40 1996
--- sendsys     Wed Apr 16 02:18:55 1997
***************
*** 31,33 ****
        cat ${ARTICLE}
!     ) | sed -e 's/^~/~~/' | ${MAILCMD} -s "sendsys by ${FROM}" ${NEWSMASTER}
      ;;
--- 31,33 ----
        cat ${ARTICLE}
!     ) | sed -e 's/~/%7e/g' | ${MAILCMD} -s "sendsys by ${FROM}" ${NEWSMASTER}
      ;;
***************
*** 40,42 ****
        ${MAILCMD} -s "${SUBJECT}" ${REPLYTO} <${NEWSFEEDS}
!       sed -e 's/^~/~~/' <${ARTICLE} \
            | ${MAILCMD} -s "sendsys by ${FROM}; reply sent" ${NEWSMASTER}
--- 40,42 ----
        ${MAILCMD} -s "${SUBJECT}" ${REPLYTO} <${NEWSFEEDS}
!       sed -e 's/~/%7e/g' <${ARTICLE} \
            | ${MAILCMD} -s "sendsys by ${FROM}; reply sent" ${NEWSMASTER}
***************
*** 48,50 ****
            ${MAILCMD} -s "${SUBJECT} for $1" ${REPLYTO} <${TEMP}
!           sed -e 's/^~/~~/' <${ARTICLE} \
                | ${MAILCMD} -s "sendsys $1 by ${FROM}; reply sent" \
--- 48,50 ----
            ${MAILCMD} -s "${SUBJECT} for $1" ${REPLYTO} <${TEMP}
!           sed -e 's/~/%7e/g' <${ARTICLE} \
                | ${MAILCMD} -s "sendsys $1 by ${FROM}; reply sent" \

*** senduuname.old      Tue Dec 17 09:40:40 1996
--- senduuname  Wed Apr 16 02:18:55 1997
***************
*** 19,21 ****
        cat ${ARTICLE}
!     ) | sed -e 's/^~/~~/' | ${MAILCMD} -s "senduuname by ${FROM}" ${NEWSMASTER}
      ;;
--- 19,21 ----
        cat ${ARTICLE}
!     ) | sed -e 's/~/%7e/g' | ${MAILCMD} -s "senduuname by ${FROM}" ${NEWSMASTER}
      ;;

*** version.old Tue Dec 17 09:40:40 1996
--- version     Wed Apr 16 02:18:55 1997
***************
*** 23,25 ****
        cat ${ARTICLE}
!     ) | sed -e 's/^~/~~/' | ${MAILCMD} -s "version by ${FROM}" ${NEWSMASTER}
      ;;
--- 23,25 ----
        cat ${ARTICLE}
!     ) | sed -e 's/~/%7e/g' | ${MAILCMD} -s "version by ${FROM}" ${NEWSMASTER}
      ;;

*** writelog.old        Tue Dec 17 09:40:40 1996
--- writelog    Wed Apr 16 02:18:56 1997
***************
*** 28,30 ****
  Xmail)
!     sed -e 's/^~/~~/' | ${MAILCMD} -s "${MESSAGE}" ${NEWSMASTER}
      exit 0
--- 28,30 ----
  Xmail)
!     sed -e 's/~/%7e/g' | ${MAILCMD} -s "${MESSAGE}" ${NEWSMASTER}
      exit 0