Internet Holes: Network News Transfer Protocol

Copyright(c), 1996, Dr. Frederick B. Cohen

Series Introduction

The Internet is now the world's most popular network and it is full of potential vulnerabilities. In this series of articles, we explore the vulnerabilities of the Internet and what you can do to mitigate them.


An Introduction to Internet Newsgroups

Internet newsgroups provide a way for hundreds of users to post messages received by thousands of recipients every day. There are about 12,000 newsgroups on the Internet, so when you add it all up, that's a lot of information. To get a sense of the overall magnitude of news on the Internet, each day, there are over 100 megabytes of new information sent through the Internet news servers. Of course not all sites get all of the news feeds.

To make newsgroups work, each newsgroup is created based on a vote of the potential membership. Once a newsgroup exists, anyone on the Internet can post news to it. If the forum is unmoderated (as most are), anything that is posted is sent to all of the recipients whenever they next read the news. If the forum is moderated, the moderator provides a list of authorized users who can post to the newsgroup and allows postings to be placed on the news service by forwarding them with an authorization message to the service supplying the news feed.

News is exchanged through the Network News Transfer Protocol ( NNTP), which normally operates on TCP port 119 on computers connected to the Internet. The details of NNTP are covered in (RFC977) (titled Network News Transfer Protocol ) and (RFC1036) (titled Standard for Interchange of USENET Messages ). To quote from the RFC977:

How Does NNTP Work?

When you read news, you send a request to a news server for a list of newsgroups that have been added since your last reading of the news by using the NEWGROUPS command, get the response, and can sign up for new services as desired. Next, you use the NEWNEWS command on each newsgroup you subscribe to to get a list of new articles for each newsgroup you are subscribed to. Finally, you request individual articles which are returned as requested.

All of these operations are carried out using a Transmission Control Protocol (TCP) channel through the Internet between your host and a news server, typically residing somewhere on the Internet, or perhaps within your organization. This action takes place on TCP port 119, and for those who are used to using telnet, you can connect to your local news server by using the command:

The protocol works in much the same way as the Simple Mail Transfer Protocol (SMTP) that exchanges mail is used. For example, the following session:

unix-prompt>telnet pubxfer.news.psi.net 119
Trying 38.8.77.2 ...
Connected to pubxfer.news.psi.net.
Escape character is '^]'.
200 server.net InterNetNews NNRP server INN 1.4 20-Mar-93 ready (posting ok).
help
100 Legal commands
  authinfo user Name|pass Password
  article [MessageID|Number]
  body [MessageID|Number]
  date
 ...
  xpat header range|MessageID pat [morepat...]
  xpath xpath MessageID
Report problems to 
.

Insecurities in NNTP

To understand the security implications of NNTP we have to look at the individual protocol elements and the implementation.

Individual Protocol Elements

NNTP commands result in responses. Certain responses are defined for each command, and each response is given a numerical value. Each command sequence is limited in length to 512 characters, and all transactions are in 7-bit ASCII codes. According to designers, most implementations are "8-bit clean".

Insecurities in the Message Interchange Standard

News postings also follow RFC1036, Several recent attacks have started to exploit one of the RFC1036 capabilities to destroy news postings before delivery. We begin with an example of the format of an article:

Relay-Version: version B 2.10 2/13/83; site from.net
Posting-Version: version B 2.10 2/13/83; site intermediary.net
Path: intermediary!mhuxj!mhuxt!eagle!jerry
From: jerry@from.net (Jerry Jones)
Newsgroups: net.general, net.security, other.newsgroup
Subject: the header of a legitimate mail message
Message-ID: <642@from.net>
Date: Friday, 19-Nov-95 16:14:55 EST
Followup-To: net.strage.facts
Expires: Saturday, 1-Jan-99 00:00:00 EST
Date-Received: Friday, 19-Nov-95 16:59:30 EST
Organization: Special Operations Organization

     The body of the article comes here, after a blank line.

It is important to note that the contents of these headers can be specified by the person creating the message and can contain arbitrary, false, or misleading information. For example, it is easy to forge a message as if it had come from another user at another site, just as in the SMTP protocol. It is possible to introduce characters that might be misinterpreted by the delivery mechanisms of some NNTP forwarders. These are the same sort of attacks that have worked in various forms against sendmail for many years.

Any unrecognized headers are allowed, and will be passed through unchanged. The required headers are Relay-Version, Posting-Version, From, Date, Newsgroups, Subject, Message-ID, Path. The optional headers are Followup-To, Date-Received, Expires, Reply-To, Sender, References, Control, Distribution, Organization. For example, high priority may be gained by specifying a header interpreted by most news readers. A return-receipt-requested header (or some such thing) may be specified to cause some mailers to automatically return the addresses of those who have received the message, thus generating mailing lists of people interested in various topics without their knowledge or permission.

The message identity is used to track messages throughout the news process. In order to conform to (RFC822) , the Message-ID must have the format:

"<" "unique" "@" "full domain name" ">"

This can be trivially forged, and perhaps even more importantly, if the "unique" entry is not unique, some interesting consequences can result. For example, you might get two different versions of the same message distributed throughout the network - one with the word NOT strategically placed in the message stream. Some people will get the plain message, and others will get the NOT message. The resulting confusion may be worth watching if it's on a controversial subject in an active news group. RFC1036 also warns that:

Long names have been used in many cases to overflow internal buffers and cause programs to execute malicious code as a result. As an aside, the angle brackets are considered part of the message ID.

The Path line can be used for interesting purposes depending on how the implementations operate. Again, according to RFC1036:

By creating a path list containing sites I don't want to get a posting, I can prevent them from receiving the news! Since much of the news goes through a select set of sites, I can effectively limit a news posting to go only outside the United States (for example). Even more interestingly, I may be able to convince the news system to route news from select sites through my site by inserting my site in the path between them and the major servers. This could eventually cause me to control their news feeds, selecting which articles to send them, adding articles strategically, altering content, etc.

According to designers, even though the RFC specifies this routing method, nobody uses it. All routing is done manually. Putting on my auditor's hat, this means that the specification and implementation don't agree. Ouch! This attack may not work because the specification isn't followed.

Other interesting headers include Reply-To, Sender, Followup-To, Date-Received, Expires, References, Distribution, Organization, and of course Control which is used to send control messages between news servers. We'll skip over all but the Control messages to save space, but don't assume that just because we skipped over them they are all safe from exploitation.

From RFC1036: The body of the Control header is the control message. Messages are a sequence of zero or more words, separated by white space (blanks or tabs). The first word is the name of the control message, remaining words are parameters to the message. The remainder of the header and the body of the message are also potential parameters; for example, the "From" line might suggest an address to which a response is to be mailed. ... Implementors and administrators may choose to allow control messages to be automatically carried out, or to queue them for manual processing. However, manually processed messages should be dealt with promptly.

Implementation Issues

We don't know for certain about any implementation flaws in the programs that implement NNTP, (a letter to the editor revealed one) but if sendmail is any indicator, it is likely that there are. Here are some of the places to look for potential problems.

Other Abuses of NNTP

There are some other ways that Internet news is abused related purely to what it is - a non-edited global news feed.

What Can We Do About It?

The fundamental challenge we face in network news is the integrity challenge. As a secondary issue, availability is a concern, however, since Internet news is not a critical system for many people, it is less of an issue. There is no privacy issue in Internet news since, by definition, it consists entirely of open forums with potentially unlimited distribution.

As a result of the widespread spamming and malicious use of the cancel capability, many people are now discussing ways to add authentication to network news, but there is no realistic solution on the horizon. For example, the new Internet protocols that are about to come out of the Internet Task Force don't provide strong authentication as a vital component of the protocols.

To support authentication in the Internet, we would need to implement a substantial infrastructure improvement in the form of a set of global key servers that could be used to associate cryptographic keys with individuals at sites. We would then have to migrate the entire Internet software suite toward the new standard, which would involve replacing or upgrading tens of millions of copies of about 100 different software components. The resulting overhead in terms of administration and bandwidth at this point in time would be excessive. Because of the nature of the Internet, it is unlikely that such services will become a predominant force in the next several years.

One thing we can all do is to protect ourselves and each other by moving increasingly toward moderated news forums and strong authentication between authorized news servers. The addition of integrity between major news feeds and editorial control over content is vital to having a good news service, whether it be Internet-based or otherwise. One good example of preventing forgeries by strong authentication is the use of PGP-based signatures on postings.

On the other side of the coin, moderators have human failings. We often find that the moderator is donating a lot of personal time and feels they have to get something back from their effort. Some want to advertise in their forums. Others want to limit expression of ideas. In the United States, a recent ruling against a major Internet service provider showed that any moderation of any sort leads to liability for all postings. Clearly, this is a legal blockade to moderation in the Internet.

Summary

Internet news is full of potentials for abuse. Some of these potentials are now being realized, while others are looming on the horizon. Because news is generally viewed as less critical than other systems, some may choose to abandon it, but for many, newsfeeds provide regular updates on fields of interest and act as a major source of information.

The solution to the NNTP problems, just as many of today's information protection challenges, is to address the integrity and availability issues head on.

A Final Comment

Some days, you just can't help getting good examples in the mail. This morning, as I finished writing this article, I got a piece of electronic mail from the Internet. It was from someone I don't know, to someone I don't know, and included a price quote of some sort. None of; my IP address, my site name, my user ID, or the user ID of anyone at any site I know of; was contained in the mail. I forwarded it to the supposed sender and recipient with a request to figure out how it got to me. If I can read other peoples' email by accident, imagine what I could do if I tried.

About The Author

Special Thanks

Special thanks go to Rich Salz who reviewed this manuscript for factual accuracy and helped make many improvements.