Herewith a complete discussion of the News Mail security bug as it applies
to C-News.
Selden
===========
>From: IN%"pmetzger@lehman.com" 25-FEB-1994 13:42:18.94
>To: IN%"bugtraq@crimelab.com"
>CC: IN%"henry@zoo.toronto.edu"
>Subj: News Bug
>
>Return-path: <bugtraq-owner@crimelab.crimelab.com>
>Received: from crimelab.crimelab.COM by LNS62.LNS.CORNELL.EDU (PMDF V4.2-13
> #3448) id <01H9AZ3IH3YO8WYZDC@LNS62.LNS.CORNELL.EDU>; Fri,
> 25 Feb 1994 13:41:22 EST
>Received: from localhost (root@localhost) by crimelab.crimelab.com
> (8.6.4/8.6.4) id LAA00364 for bugtraq-outgoing; Fri, 25 Feb 1994 11:58:49 -0600
>Received: from lehman.com (Lehman.COM [192.147.66.1]) by crimelab.crimelab.com
> (8.6.4/8.6.4) with ESMTP id LAA00358 for <bugtraq@crimelab.com>; Fri,
> 25 Feb 1994 11:58:38 -0600
>Received: from relay.lehman.com by lehman.com (8.6.4/LB 0.1) id XAA10437; Thu,
> 24 Feb 1994 23:39:30 -0500
>Received: from kublai by relay.lehman.com (4.1/LB-0.6) id AA09034; Thu,
> 24 Feb 94 23:39:28 EST
>Received: from andria.lehman.com by kublai (8.6.4/8.6.3) id XAA18381; Thu,
> 24 Feb 1994 23:39:27 -0500
>Received: by andria.lehman.com (4.1/SMI-4.1) id AA19696; Thu,
> 24 Feb 94 23:39:27 EST
>Date: Thu, 24 Feb 1994 23:39:27 -0500
>From: "Perry E. Metzger" <pmetzger@lehman.com>
>Subject: News Bug
>Sender: bugtraq-owner@crimelab.crimelab.com
>To: bugtraq@crimelab.com
>Cc: henry@zoo.toronto.edu
>Reply-to: pmetzger@lehman.com
>Message-id: <199402250439.XAA18381@kublai>
>Content-transfer-encoding: 7BIT
>X-Reposting-Policy: redistribute only with permission
>Precedence: bulk
>
>[I am cc:ing this message to Henry Spencer.]
>
>In the spirit of full disclosure which the bugtraq list was started:
>
>Examination of the cnews control message processing reveals that the
>scripts used to execute the control messages pass chunks of the
>contents of those messages to "mail". If your cnews is installed in
>the default manner on a BSD type system, /bin and /usr/bin come before
>/usr/ucb in the path for the news executables and /bin/mail is
>executed -- however, if /usr/ucb comes first in the path because of a
>nonstandard installation /usr/ucb/mail gets run and tilde escapes,
>including ~! -- the bad implications of this should be obvious.
>
>I do not know if there are similar problems in INN.
>
>This is apparently the security hole that some people have been
>obliquely discussing.
>
>What to do:
>
>1) If /bin and /usr/bin are in the path of your news scripts first,
> you have nothing immediately to worry about. You might apply the
> following fixes anyway.
>2) Most safely, replace references to "mail" with "/bin/mail".
>3) Slightly less safely, assure that "/bin" and "/usr/bin" are in the
> path first. It is entirely possible that there is some way to force
> these to the end of the path using another trick -- I don't know
> how this might be done but shell scripts are tricky to plug all
> holes on. Therefore, I would do 2).
>4) No matter what, assure that your scripts run as user "news" or
> otherwise as a non-root user. This will make sure that the impact
> of any other holes is minimized. The scripts should already be
> running this way in an ordinary installation, but yours might not
> be ordinary.
>
>Perry Metzger