19971010: Recent newgroup denial of service attack

19971010: Recent newgroup denial of service attack
From:             "Forrest J. Cavalier III" <mibsoft@epix.net>
To:               corrbeta-l@mibsoftware.com
Date sent:        Fri, 10 Oct 1997 11:58:51 -0400
Subject:          Recent newgroup denial of service attacks
Send reply to:    corrbeta-l@mibsoftware.com
Copies to:        mibsoft@epix.net
Priority:         normal

For Usenet RKT subscribers.  Do not distribute.  I posted
a slightly different message to inn-workers already...

SUMMARY: A recent vulnerability in INN has been discovered and
has been exploited to crash INN.  inn1.5.1corr is vulnerable to this
attack.  You are being notified because you have a paid (or
honorary, in the case of beta testers) subscription to the Usenet RKT.

Requirements for the exploit to crash inn:

   Accepting (using "doit" ACTION) of a newsgroup message with a very
      long newsgroup name, but less than 256-24. in length.  (This 
      depends on pgp-verify, CTLFILE settings, etc.)

   A combined strlen of newsgroup name + from + rest > 255.  This
      is determined by the message content.

   An active.times file

   A newgroup script which does not reject newsgroup names which are
      too deep.  There is code in the sample newgroup script, but it
      is disabled by default.

Versions determined to be vulnerable
   1.5.1 (by inspection)
   1.5.1corr, and all derivatives.  (by testing)

Versions not vulnerable (by inspection, not by testing)
   1.5.1sec2 (although there are other vulnerabilities.)
   1.6b3

A patch, applicable to 1.5.1 and 1.5.1corr is attached,
and also available at.
    http://www.mibsoftware.com/userkt/inn/patches/long-newgroup-secfix.diff
It applies to innd/cc.c

RECOMMENDATIONS:
Even if your current control configuration (or use of
pgp) makes your system immune, applying the patch now
will prevent future problems if you make changes.

Even though this defect was not caused by me, I take
responsibility for it in 1.5.1corr, and this notice is
sent to every beta tester and registered user.

This defect was not discovered by me.  It was reported
recently to news.software.nntp by Joe Greco and a
different patch worked by Chris Caputo.  I simply did work
to verify and characterize it, developed a different fix, which
I tested and verified.

I apologize if the vulnerability and the recent exploits
have caused any inconvenience to you.  If you ever have
INN crash for an unknown reason.  Be sure to notify me.
1.5.1corr is supported software.

Forrest Cavalier, Mib Software

ADDITIONAL DETAILS:
The reason that 1.5.1corr is not correct stems from my
code inspection which tagged the change in 1.6b3 as an
internal string limit change: INN160SL.  There is a test
to check for a potential buffer overflow, but it is
defective.  The code should have been tagged as
INN160XS, and fixed in 1.5.1corr.

I suggest a different fix than the one already proposed,
(attached.) It makes the correct check for buffer overflow.
I verified that it works for the cases I described.

A re-inspection of cc.c shows that there is no similar mechanism
for failure for rmgroup messages.
You can find a summary and links related to this topic
as part of the Mib Software Usenet RKT.