INN commit: trunk (5 files)

INN Commit rra at isc.org
Tue Jul 5 20:37:42 UTC 2011


    Date: Tuesday, July 5, 2011 @ 13:37:42
  Author: iulius
Revision: 9217

STARTTLS / AUTHINFO SASL plaintext command injection

Fixed a possible plaintext command injection during the negotiation of a
TLS layer.  The vulnerability detailed in CVE-2011-0411 affects the STARTTLS
and AUTHINFO SASL commands.  nnrpd now resets its read buffer upon a
successful negotiation of a TLS layer.  It prevents malicious commands, sent
unencrypted, from being executed in the new encrypted state of the session.

The issue has been present since INN 2.3.0 (when STARTTLS was implemented).

Confirmed when sending "STARTTLS\r\nDATE\r\n" with openssl:


17:04 news at trigo ~/work/openssl/openssl-1.0.0d% apps/openssl s_client -quiet -starttls smtp -connect news.trigofacile.com:119
didn't found starttls in server response, try anyway...
depth=0 C = FR, ST = news.trigofacile.com, O = news.trigofacile.com, CN = news.trigofacile.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = FR, ST = news.trigofacile.com, O = news.trigofacile.com, CN = news.trigofacile.com
verify return:1
500 What?
111 20110403150413
QUIT
205 Bye!

The 500 artefact is because of the EHLO sent by openssl before STARTTLS.
We see here that the DATE command is answered.




With this patch, here is a new attempt with openssl:

17:06 news at trigo ~/work/openssl/openssl-1.0.0d% apps/openssl s_client -quiet -starttls smtp -connect news.trigofacile.com:119
didn't found starttls in server response, try anyway...
depth=0 C = FR, ST = news.trigofacile.com, O = news.trigofacile.com, CN = news.trigofacile.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = FR, ST = news.trigofacile.com, O = news.trigofacile.com, CN = news.trigofacile.com
verify return:1
500 What?
DATE
111 20110403150638
QUIT
205 Bye!

The answer to DATE is not given after "500 What?".  We had to explicitly
ask for it.
The issue is therefore solved.

Modified:
  trunk/doc/pod/news.pod
  trunk/nnrpd/line.c
  trunk/nnrpd/misc.c
  trunk/nnrpd/nnrpd.h
  trunk/nnrpd/sasl.c

------------------+
 doc/pod/news.pod |    8 ++++++++
 nnrpd/line.c     |   11 +++++++++++
 nnrpd/misc.c     |    3 +++
 nnrpd/nnrpd.h    |    5 +++--
 nnrpd/sasl.c     |    3 +++
 5 files changed, 28 insertions(+), 2 deletions(-)

Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod	2011-07-05 18:30:57 UTC (rev 9216)
+++ doc/pod/news.pod	2011-07-05 20:37:42 UTC (rev 9217)
@@ -147,6 +147,14 @@
 
 =item *
 
+Fixed a possible plaintext command injection during the negotiation of a
+TLS layer.  The vulnerability detailed in CVE-2011-0411 affects the STARTTLS
+and AUTHINFO SASL commands.  B<nnrpd> now resets its read buffer upon a
+successful negotiation of a TLS layer.  It prevents malicious commands, sent
+unencrypted, from being executed in the new encrypted state of the session.
+
+=item *
+
 B<cnfsheadconf> now properly recognizes continuation lines in
 F<cycbuff.conf>, that is to say lines ending with a backslash (C<\>).
 Thanks to John S<F. Morse> for the bug report.

Modified: nnrpd/line.c
===================================================================
--- nnrpd/line.c	2011-07-05 18:30:57 UTC (rev 9216)
+++ nnrpd/line.c	2011-07-05 20:37:42 UTC (rev 9217)
@@ -67,6 +67,17 @@
 }
 
 /*
+**  Reset a line structure.
+*/
+void
+line_reset(struct line *line)
+{
+    assert(line);
+    line->where = line->start;
+    line->remaining = 0;
+}
+
+/*
 **  Timeout is used only if HAVE_SSL is defined.
 */
 static ssize_t

Modified: nnrpd/misc.c
===================================================================
--- nnrpd/misc.c	2011-07-05 18:30:57 UTC (rev 9216)
+++ nnrpd/misc.c	2011-07-05 20:37:42 UTC (rev 9217)
@@ -518,5 +518,8 @@
         GRPcount = 0;
         PERMgroupmadeinvalid = false;
     }
+
+    /* Reset our read buffer so as to prevent plaintext command injection. */
+    line_reset(&NNTPline);
 }
 #endif /* HAVE_SSL */

Modified: nnrpd/nnrpd.h
===================================================================
--- nnrpd/nnrpd.h	2011-07-05 18:30:57 UTC (rev 9216)
+++ nnrpd/nnrpd.h	2011-07-05 20:37:42 UTC (rev 9217)
@@ -217,7 +217,7 @@
 extern int		LockPostRec(char *path);
 extern void		UnlockPostRec(char *path);
 extern int		RateLimit(long *sleeptime, char *path);
-extern void		ExitWithStats(int x, bool readconf);
+extern void		ExitWithStats(int x, bool readconf) __attribute__ ((noreturn));
 extern char		*GetHeader(const char *header, bool stripspaces);
 extern void		GRPreport(void);
 extern bool		NGgetlist(char ***argvp, char *list);
@@ -246,7 +246,7 @@
 extern void             CMDnextlast     (int ac, char** av);
 extern void             CMDover         (int ac, char** av);
 extern void             CMDpost         (int ac, char** av);
-extern void             CMDquit         (int ac, char** av);
+extern void             CMDquit         (int ac, char** av) __attribute__ ((noreturn));
 extern void             CMDxgtitle      (int ac, char** av);
 extern void             CMDpat          (int ac, char** av);
 extern void             CMD_unimp       (int ac, char** av);
@@ -291,6 +291,7 @@
 
 void line_free(struct line *);
 void line_init(struct line *);
+void line_reset(struct line *);
 READTYPE line_read(struct line *, int, const char **, size_t *, size_t *);
 
 #ifdef HAVE_SASL

Modified: nnrpd/sasl.c
===================================================================
--- nnrpd/sasl.c	2011-07-05 18:30:57 UTC (rev 9216)
+++ nnrpd/sasl.c	2011-07-05 20:37:42 UTC (rev 9217)
@@ -326,6 +326,9 @@
                 GRPcount = 0;
                 PERMgroupmadeinvalid = false;
             }
+
+            /* Reset our read buffer so as to prevent plaintext command injection. */
+            line_reset(&NNTPline);
         }
     } else {
 	/* Failure. */




More information about the inn-committers mailing list