exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

talkd.format.txt

talkd.format.txt
Posted May 22, 2002
Authored by Gobbles Security

A format string vulnerability exists in most talkd implementations. Talkd included with older linux netkits (like 0.9) and KDE 1-3 is vulnerable.

systems | linux
SHA-256 | 67132c71bf40f1f14f838751c0a29f131e04091274bdab696790d6a9c56fb48a

talkd.format.txt

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ALERT! ALERT! Multiple vendor talkd vulnerability ALERT! ALERT!

Forward
*******

Certain #phrack op have big mouth and do stuff like /topic #phrack
www.bugtraq.org stuff hoping to get greet in advisory.

Shut up lamer.


GOBBLES Advance Warning System
******************************

fc is heavily ridiculed in next GOBBLES advisory.


GOBBLES Advance Warning System
******************************

Next advisory is in comic book format.


Vulnerable
**********
KDE 1 - all platforms
KDE 2 - all platforms
KDE 3 - all platforms
talkd in older linux netkits (like 0.9).
Possibly many other talkd implementations based on drunk
student's announce.cpp from 1983.


Problem
*******

A formatstring vulnerability exist in many talkd implementations.


Technical details
*****************

In print_mesg(), located in announce.cpp GOBBLES see this
piece of newbie code:


void print_mesg(FILE * tf, NEW_CTL_MSG * request, const char *
remote_machine, int usercfg, int force_no_sound)
{

..
const char *remotename = gethostbyname(remotemach)->h_name;
..
snprintf(buffer, N_CHARS, "%s@%s", request->l_name, remotename);
snprintf(line_buf[i], N_CHARS, Options.announce2, buffer);
..
if (!(strcmp(localname,remotename))) {
snprintf(line_buf[i], N_CHARS, Options.announce3, request->l_name);
} else {
snprintf(line_buf[i], N_CHARS, Options.announce3, buffer);
}
..
bptr = big_buf;
if (!force_no_sound) /* set if a X announce has been done */
if (sound_or_beep(usercfg)) /* if no sound then : */
*bptr++ = '^G'; /* send something to wake them up */
*bptr++ = '\r'; /* add a \r in case of raw mode */
*bptr++ = '\n';
for (i = 0; i < N_LINES; i++) {
/* copy the line into the big buffer */
lptr = line_buf[i];
while (*lptr != '\0')
*(bptr++) = *(lptr++);

..
fprintf(tf, big_buf);

..


Unless reader havent spotted offending code yet, it's the fprintf() line!

In top of file announce.cpp GOBBLES read:

* Copyright (c) 1983 Regents of the University of California.
* All rights reserved.

License go on to say crap about "no code based off this can be promoted
without the prior consent of the copyright holder. . ." and other junk, so
GOBBLES will not do promotion of exploit code for this vulnerability, just
will make fun of sloppy code.

The Origin of syslog() Bug
**************************

During extensive grep syslog stuff of code, GOBBLES search back and discover
some thing of historical importance concerning where original syslog() bug
come from, and here is what GOBBLES Security did discover.

The test code that comes with sysklogd-1.4.1 contains unformatted syslog()
calls.

syslog_tst.c:
...
if (argc > 1)
{
if ( (*argv[1] == '-') && (*(argv[1]+1) == '\0') )
{
while (!feof(stdin))
if ( fgets(bufr, sizeof(bufr), stdin) !=
(char *) 0 )
{
if ( (nl = strrchr(bufr, '\n')) !=
(char *) 0)
*nl = '\0';
syslog(LOG_INFO, bufr);
logged += strlen(bufr);
if ( logged > 1024 )
{
sleep(1);
logged = 0;
}

}
}
else
while (argc-- > 1)
syslog(LOG_INFO, argv++[1]);
}
...

Of course, Paul Vixie's ftpd from ftp.vix.com contains more format bugs
that scut's paper on the subject, but what do you expect from someone like
Vix? Real point to all of this is to show that syslogd programmer try to
encourage poor use of syslog() not understanding ramficiation of problems
that evolve from that style people learned in later years and such.

On other note, check out ftp.vix.com/pub/vixie/ftpd.tar.gz if you need
something to laugh at...

Workaround
**********

1. Find and chmod -x all *talkd*-binaries until official patch is released.
2. sed 's/fprintf\(tf, big_buf\);/fprintf\(tf, "%s", big_buf\);/'


History
*******

Similar hole discovered and disclosed by antisec/K2 in OpenBSD, that was
said to not be exploitable... (unexploitable? hehehe, no strvis wizards?)

That one only take GOBBLES Security researchers three hours to write fully
automated, multiarchitecture remote root exploit, but whatever, writing it
was completely trivial for us. . . very beginner stuff.


Closing
*******

Huge, big, important announcements coming soon from GOBBLES Security. . .
GOBBLES suggest staying bright and attentive for details concerning these
things which will be announced and made public very soon. . .


Funny Links
***********

* Pine Internet Advisory: Setuid application execution may give local root
in FreeBSD Patrick Oonk (Mon Apr 22 2002 - 03:58:25 CDT)
http://archives.neohapsis.com/archives/bugtraq/2002-04/0305.html

* Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio Theo de Raadt (Mon
Apr 22 2002 - 14:23:51 CDT)
http://archives.neohapsis.com/archives/bugtraq/2002-04/0304.html

(In this post, Theo try to make fun of Patrick saying that only reason
Patrick find this bug is that Theo find it first and patch Theo-BSD with
it, showing off that he smarter than everyone else as usual (well, not
that Theo smarter than anyone else really, since even the average scriptkid
find owning OpenBSD to be trivial task, but in he own mind he > * . . .))

* OpenBSD local DoS and root exploit fozzy@dmpfrance.com (Thu May 09 2002 -
08:11:31 CDT)
http://archives.neohapsis.com/archives/bugtraq/2002-05/0066.html

(In this advisory, Fozzy show that Theo attempt to patch bug in OpenBSD was
completely vain and that OpenBSD was still vulnerable to same bug as
FreeBSD, and that Theo really just lamer with ego who not good enough to
be on NetBSD team anymore. Notice greets to GOBBLES, hehe, thankx Fozzy!
Come to defcon for free tshirt, hehe :PPPPPppppp!)

Congradulations to Theo for making himself look like asshole. Everyone
already know that Theo lame, but few realize that he also is just asshole. . .

http://udp.livejournal.com -- #phrack's finest, grab your magic decoder ring
and pray to sweet jebus that you'll be able to understand just a single word...

Greetz
******

The Bronc Buster, who have nothing better to do at important cisco.com job
than to beg GOBBLES for attention. You too, like op in #phrack, need to
shut up. No tshirt for you, homie. You are not funny, at all...


GOBBLES Security
"Often imitated, never cloned."


Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
HushMail Secure Email http://www.hushmail.com/
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlwEARECABwFAjzqYcMVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPeyYA
nindTi9nbenpuRb3qKHutKbud4TWAJsH9C2wj5gVEFoqrd7IQ78QuEbeAA==
=ve5l
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close