exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Next Generation Security Advisory 2002.3

Next Generation Security Advisory 2002.3
Posted May 24, 2002
Authored by FJ Serna, NGSSoftware | Site ngsec.com

Next Generation Advisory NGSEC-2002-3 - Sun Solaris in.talkd is vulnerable to a remote root format string bug. An attacker can request a talk session with a especially crafted user field able to write memory and gain control of the flow of the in.talkd.

tags | remote, root
systems | solaris
SHA-256 | 7fa8d1d538e9e06e7e46c09cb39e2c8630bd909c9fbb9f637606a8b0e9b96d44

Next Generation Security Advisory 2002.3

Change Mirror Download
Hash: SHA1

Next Generation Security Technologies
Security Advisory

Title: Solaris in.talkd, remote root compromise
ID: NGSEC-2002-3
Application: in.talkd on Solaris 9ea or older (http://www.sun.com)
Date: 23/05/2002
Status: Due to parallel release of bug, vendor not contacted.
Platform: Solaris
Author: Fermín J. Serna <fjserna@ngsec.com>
Location: http://www.ngsec.com/docs/advisories/NGSEC-2002-3.txt

- ---------

Sun Solaris in.talkd is vulnerable to a format string bug which can be
exploited remotely. An attacker can request a talk session with a
especially crafted luser field able to write memory and gain control of
the flow of the in.talkd.

This vulnerability can also be exploited with the field clt_addr and its
resolved name (in conjuction with a DNS).

GOBBLES discovered this bug (Who was first? ;), and reported this to
bugtraq. They did not say solaris was vulnerable.

Technical description:
- ----------------------

Sun Solaris in.talkd is a daemon installed and enabled by default on all
Solaris 2.* systems. This daemon contains a format string bug in the
following line at in.talkd/announce.c

print_mesg(FILE *tf, CTL_MSG *request, char *remote_machine) {
fprintf(tf, big_buf);

in.talkd calls print mesg from:


This code lacks of format string. Since "big_buf" contains some user supplied
data such as luser, an attacker can query in.talkd server with a luser
field containing a malign format string (%n).

NGSEC has developed an exploit for this vulnerability but we are not going
to release it for obvious reasons (remote root compromise to a widely
spread application).

Proof of vulnerability:
- -----------------------

On the attacker machine:

piscis:~/lots-of-0days/sun-talkd# rusers -l ultra
root ultra:pts/0 May 15 14:56 :01 (piscis)
piscis:~/lots-of-0days/sun-talkd# ./talkd-x --test "%#x %#x" ultra root
Solaris (up to 9ea) in.talkd xploit by Fermín J. Serna <fjserna@ngsec.com>
Next Generation Security Technologies

Entering test mode
Talk request from "%#x %#x:" to "root:ultra" sent!.

On the solaris machine:

ultra:/# uname -a
SunOS ultra 5.7 Generic_106541-19 sun4u sparc SUNW,Ultra-5_10

Message from Talk_Daemon@ultra at 15:01 ...
talk: connection requested by 0xa 0x14@localhost.
talk: respond with: talk 0x5 0xffbef980@localhost


- ----------------
Chmod 000 in.talkd and wait for sun's patch.

More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/
PGP Key: http://www.ngsec.com/pgp/labs.asc

(c)Copyright 2002 NGSEC. All rights reserved.
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Made with pgp4pine 1.76

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By