Subject talkd Buffer Overrun Vulnerability Date 17-jan-97
c939fa431a0c27fd1439d38e1a08e37b6d2a7cefc1407d5ad8ab1bd7c2a50ca0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===============================================================================
>> CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl. Links <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>> <<
>> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the <<
>> complete CERT-CC advisory texts: http://www.cert.org <<
===============================================================================
===============================================================================
Security Advisory CERT-NL
===============================================================================
Author/Source : Gert Meijerink Index : S-97-03
Distribution : World Page :
Classification: External Version:
Subject : talkd Buffer Overrun Vulnerability Date : 17-jan-97
===============================================================================
By courtesy of AUSCERT, the Australian CERT, we received information on a
vulnerability in talkd.
This information is made publicly available by AUSCERT advisory AA-97.01,
dated 17-jan-97
CERT-NL recommends that sites apply the steps outlines in Section 3.
Keywords: talkd
===============================================================================
AA-97.01 AUSCERT Advisory
talkd Buffer Overrun Vulnerability
17 January 1997
Last Revised: --
- - ---------------------------------------------------------------------------
AUSCERT has received information that there is a vulnerability in talkd.
This vulnerability may allow remote users to gain root privileges.
Exploit information regarding this vulnerability has been made publicly
available.
The vulnerabilities in the talkd program affect numerous vendors and
platforms. AUSCERT recommends that sites take the steps outlined in
section 3 as soon as possible.
This advisory will be updated as more information becomes available.
- - ---------------------------------------------------------------------------
1. Description
AUSCERT has received information of a vulnerability in the talkd(8)
program used by talk(1). talk is a communication program which copies
text from one users terminal to that of another, possibly remote, user.
talkd is the daemon that notifies a user that someone else wishes
to initiate a conversation.
As part of the talk connection, talkd does a DNS lookup for the
hostname of the host where the connection is being initiating from.
Due to insufficient bounds checking on the buffer where the hostname
is stored, it is possible to overwrite the internal stack space of
talkd. By carefully manipulating the hostname information, it is
possible to force talkd to execute arbitrary commands. As talkd runs
with root privileges, this may allow intruders to remotely execute
arbitrary commands with these privileges.
This attack requires an intruder to be able to make a network
connection to a vulnerable talkd program and provide corrupt
DNS information to that host.
This type of attack is a particular instance of the problem described
in CERT advisory CA-96.04 "Corrupt Information from Network Servers".
This advisory is available from:
ftp://ftp.auscert.org.au/pub/cert/cert_advisories/
ftp://info.cert.org/pub/cert_advisories/
Sites should be aware that there are two different versions of the
talkd program. Depending on your system, they make take any of the
following names: talkd, otalkd, ntalkd.
Sites can check whether they are allowing talk sessions by checking
/etc/inetd.conf:
# grep -i talk /etc/inetd.conf | grep -v '^#'
Exploit information involving this vulnerability has been made
publicly available.
2. Impact
Intruders may be able to remotely execute arbitrary commands with root
privileges.
3. Workarounds/Solution
AUSCERT recommends that sites prevent the possible exploitation of
this vulnerability by immediately disabling any talkd program(s).
Vendor information about the vulnerability described in this advisory
is provided in Section 3.2.
3.1 Disable talkd program(s)
Sites should disable any talkd programs found in /etc/inetd.conf
by commenting those lines out and restarting inetd.
Example commands executed as root:
# grep -i talk /etc/inetd.conf
talk dgram udp wait root /usr/etc/in.talkd in.talkd
All references to talkd, otalkd or ntalkd should be commented out.
Comments in /etc/inetd.conf begin with "#".
After editing /etc/inetd.conf, sites should restart inetd. On many
Unix systems, this is done by sending the inetd process a HUP signal.
For SYSV:
# ps -ef | grep inetd | grep -v grep
# kill -HUP {inetd PID}
For BSD:
# ps -aux | grep inetd | grep -v grep
# kill -HUP {inetd PID}
3.2 Vendor information
Below is a list of vendors which are known to be affected by the
talkd vulnerability described in this advisory:
Hewlett Packard
Berkeley Software Design, Inc. (BSDI)
The following vendors have informed AUSCERT that they are not
vulnerable.
The OpenBSD project (OpenBSD 2.0)
RedHat Linux (RedHat Linux 4.0 and above)
If your vendor's name is not listed above, please contact your
vendor directly.
4. Additional measures
Most Unix systems ship with numerous network services enabled. Often
the functionality supplied by these network services is not required
by many sites. The large number of network services that are enabled
by default are to cater for all possible uses of the system.
AUSCERT encourages sites to examine all the network services which
are enabled and determine the necessity of each service. Sites can
determine what services are being offered by using netstat(1).
If a service is not required at your site, then it should be disabled.
For those services which are required, sites should consider restricting
access to only hosts which need those services. This may done on a
network level by placing access controls at a site's router or firewall.
In addition, sites should consider using the tcp_wrappers program to
provide access control and additional logging for individual hosts.
tcp_wrappers is available from:
ftp://ftp.auscert.org.au/pub/mirrors/ftp.win.tue.nl/tcp_wrappers/
ftp://ftp.win.tue.nl/pub/security/
Note that while the use of tcp_wrappers is recommended because it
increases security in general, it may not prevent this vulnerability
being exploited.
...........................................................................
Appendix A Vendor information
This appendix will be updated as we receive additional information. If
your vendor is not listed below, or you require further vendor information,
please contact the vendor directly.
Berkeley Software Design, Inc. (BSDI)
=====================================
The version of ntalkd in BSD/OS is vulnerable to this problem
and an official patch is available from the <patches@BSDI.COM>
email server or via anonymous ftp at:
ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/U210-035
Hewlett Packard
===============
The HP-UX 10.X version of talkd is vulnerable to this problem. talkd
was not released under HP-UX 9.x. There are no patches available at
this time.
Linux
=====
This vulnerability in talkd was fixed in Linux NetKit-B-0.07. The
current version is NetKit-0.09 and contains this and other security
fixes. NetKit-0.09 updates NetKit-B-0.08.
The current version of NetKit is available from:
ftp://ftp.uk.linux.org/pub/linux/Networking/base
Linux RedHat 4.0 and later versions are not vulnerable to problem.
The OpenBSD Project
===================
OpenBSD 2.0 is not susceptible to the vulnerabilities described
in this advisory.
...........................................................................
- - ---------------------------------------------------------------------------
AUSCERT thanks the vendor community for their response, SNI for their
initial involvement, and CERT/CC. AUSCERT also thanks David Holland
for his contributions.
- - ---------------------------------------------------------------------------
=============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).
All CERT-NL material is available under:
http://cert.surfnet.nl/
In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).
CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS
Phone: +31 302 305 305 BUSINESS HOURS ONLY
Fax: +31 302 305 329 BUSINESS HOURS ONLY
Snailmail: SURFnet bv
Attn. CERT-NL
P.O. Box 19035
NL - 3501 DA UTRECHT
The Netherlands
NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i
iQA/AwUBOL6IRTSYjBqwfc9jEQJdywCgwdl+6AWmkYV+tT9JZzuwv0+oa00An3hR
avJDVuDGGBxQG2J74Ud0+p/e
=gerh
-----END PGP SIGNATURE-----