what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CA-97.04.talkd

CA-97.04.talkd
Posted Sep 14, 1999

A vulnerability in talkd(8) program used by talk(1) makes it possible to provide corrupt DNS information to a host and to remotely execute arbitrary commands with root privileges. The advisory includes information on how to solve the general problem as well as the specific one.

tags | arbitrary, root
SHA-256 | 2a739733ef6b9a6ada53275ce1043809377375e1ab44ba2b0ea11fc870acac65

CA-97.04.talkd

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----


=============================================================================
CERT(sm) Advisory CA-97.04
Original issue date: January 27, 1997
Last Revised: September 26, 1997
Updated copyright statement

A complete revision history is at the end of this file.


Topic: talkd Vulnerability
- -----------------------------------------------------------------------------

The CERT Coordination Center has received reports of a vulnerability in
talkd(8) program used by talk(1). By constructing DNS data with particular
characteristics, an intruder can remotely execute arbitrary commands with root
privileges.

An exploitation script for this problem has been made publicly available,
and we have received reports of successful root compromises involving the use
of this script.

You may be aware of advisories that have been published by other response
teams about this problem. Note that this advisory contains additional material
and covers additional aspects of the vulnerability related to a broader set of
problems of which this particular problem is only a specific instance.

The CERT/CC team recommends taking steps to solve the general problem
(Sec. III.A) and installing a vendor patch to address this particular instance
of the problem (Sec. III.B). Until you can install a patch, we urge you to
disable the talkd program(s) at your site.

We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.

- -----------------------------------------------------------------------------

I. Description

The CERT Coordination Center has received information of a vulnerability
in the talkd(8) program used by talk(1). talk is a communication program
that copies text from one user's terminal to that of another, possibly
remote, user. talkd is the daemon that notifies a user that someone else
wishes to initiate a talk conversation.

As part of the talk connection, talkd does a DNS lookup for the name
of the host that the connection is being initiated from. Because there
is insufficient bounds checking on the buffer where the hostname is
stored, it is possible to overwrite the internal stack space of talkd.

It is possible to force talkd to execute arbitrary commands by carefully
manipulating the hostname information. As talkd runs with root
privileges, this may allow intruders to remotely execute arbitrary
commands with these privileges.

This attack requires an intruder to be able to make a network connection
to a vulnerable talkd program and provide corrupt DNS information to that
host.

This type of attack is a particular instance of the problem described in
CERT advisory CA-96.04, "Corrupt Information from Network Servers,"
available from

ftp://info.cert.org/pub/cert_advisories/CA-96.04.corrupt_info_from_servers

Sites that use BIND 4.9.4 Patch Level 1 or later are NOT vulnerable to
the general class of hostname/ip-address-based buffer overflow attacks
(including this specific problem).

Be aware that there are different versions of the talkd program.
Depending on your system, the program may have any of the following
names: talkd, otalkd, ntalkd.

To determine whether your site allows talk sessions, check
/etc/inetd.conf:

# grep -i "^[a-z]*talk" /etc/inetd.conf

Note: An exploitation script for this problem has been made publicly
available. The CERT/CC has received reports of successful root
compromises involving the use of this script.

II. Impact

Intruders may be able to remotely execute arbitrary commands with root
privileges. They do not need access to an account on the system to
exploit this vulnerability.

III. Solution

There are several options available to avoid this problem. We recommend
that all sites defend against the general class of problem (Sec. A) and
also install a patch from your vendor (Sec. B). Until you can install a
patch, we urge you to disable the talkd program(s) at your site (Sec C).

Note that disabling the talkd program will defend against the
particular attack described in this advisory, but will not defend
against the general class of network-based attacks that manipulate
hostname/ip-address information to exploit a vulnerability.


A. Defend against the general class of problem

In the general case, the problem described in this advisory is one
in which the attacker uses particular hostname/ip-address data to
exploit a vulnerability. The exploitation script mentioned above
uses the specific case of DNS attacks, but attackers can use other
hostname/ip-address resolution methods, such as NIS, /etc/hosts,
and so on.

If the following measures are in place for all hostname/address
transformation techniques on your system, then your system would be
immune not only to this particular talkd exploit, but also to the
general class of hostname/ip-address-based buffer overflow attacks.

1. DNS-Based Attacks

To defend against a DNS-based attack, we encourage you to upgrade to
BIND 4.9.4 Patch level 1 or later (or your vendor's equivalent). The
reason is that BIND 4.9.4 Patch Level 1 conforms to the RFC (RFC 952)
defining valid hostname syntax (described in CERT advisory CA-96.04,
"Corrupt Information from Network Servers").

Keep in mind that an upgrade to 4.9.5 may require a sendmail upgrade
because of the POSIX extensions in the latest version of BIND
(described in CA-96.04). For the latest available version of sendmail,
please consult the file

ftp://info.cert.org/pub/latest_sw_versions/sendmail

2. Other Network Information Services

For systems that rely on additional name/address transformation
techniques (such as NIS, netinfo, and flat files like /etc/hosts),
using the recommended version of BIND may be insufficient since DNS
lookups--and therefore hostname/ip-address validation--may be bypassed
in favor of the alternative technique (NIS, netinfo, etc). Thus, we
also encourage sites and vendors to include in the suite of resolution
techniques the same code that BIND uses to validate hostnames and IP
addresses. This code is described in the next section.

3. In-house Software

Use the hostname and IP address validation subroutines available
at the locations listed below. Include them in all programs that
use the result of the hostname lookups in any way.

ftp://info.cert.org/pub/tools/ValidateHostname/IsValid.c
ftp://ftp.cert.dfn.de/pub/tools/net/ValidateHostname/IsValid.c

The IsValid.c file contains code for the IsValidHostname and
IsValidIPAddress subroutines. This code can be used to check host
names and IP addresses for validity according to RFCs 952 and 1123,
as well as names containing characters drawn from common practice,
namely "_" and "/".

The following files are in the directory (from the README):

IsValid.l The lex/flex file containing the code for
IsValidHostname and IsValidIPAddress
MD5 (IsValid.l) = 2d35040aacae4fb12906eb1b48957776

IsValid-raw.c The C file created by running flex
on IsValid.l
MD5 (IsValid-raw.c) = 367c77d3ef84bc63a5c23d90eeb69330

IsValid.c The edited file created by internalizing
variable and function definitions in
IsValid-raw.c
MD5 (IsValid.c) = ffe45f1256210aeb71691f4f7cdad27f

IsValid.diffs The set of diffs between IsValid-raw.c
and IsValid.c
MD5 (IsValid.diffs) = 3619022cf31d735151f8e8c83cce3744

htest.c A main routing for testing IsValidHostname
and IsValidIPAddress
MD5 (htest.c) = 2d50b2bffb537cc4e637dd1f07a187f4


B. Install a patch from your vendor

Below is a list of the vendors who have provided information. Details
are in Appendix A of this advisory; we will update the appendix as we
receive additional information.

If your vendor's name is not on this list, we have not received any
information. Please contact the vendor directly.

Berkeley Software Design, Inc. (BSDI)
Cisco Systems
Data General Corporation
FreeBSD, Inc.
Hewlett-Packard Company
IBM Corporation
Linux
NEC Corporation
The Santa Cruz Operation, Inc. (SCO)
Silicon Graphics Inc. (SGI)
Solbourne (Grumman System Support)
Sun Microsystems, Inc.

C. Disable the talkd program(s)

Until you can install a vendor patch, disable any talkd programs found
in /etc/inetd.conf by commenting out those lines and restarting inetd.

Example commands executed as root:

# grep -i talk /etc/inetd.conf
talk dgram udp wait root /usr/etc/in.talkd in.talkd

Comment out *all* references to talkd, otalkd or ntalkd.
(Comments in /etc/inetd.conf begin with "#".)

After editing /etc/inetd.conf, restart inetd. On many Unix systems,
this is done by sending the inetd process a HUP signal.

For SYSV:

# ps -ef | grep inetd | grep -v grep
# kill -HUP {inetd PID}

For BSD:

# ps -aux | grep inetd | grep -v grep
# kill -HUP {inetd PID}

Note that disabling talkd will solve the specific problem discussed in
this advisory. However it will not solve the general problem of
network-based attacks that manipulate hostname/ip-address information
to exploit a vulnerability.


...........................................................................

Appendix A - Vendor Information

Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional information.
If you do not see your vendor's name, please contact the vendor directly.


Berkeley Software Design, Inc. (BSDI)
=====================================
We have released an official patch (U210-035). It's available from our
patches@BSDI.COM mail-back server or via anonymous ftp at:

ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/U210-035


Cisco Systems
=============
Cisco MultiNet for OpenVMS - not vulnerable.


Data General Corporation
========================
Data General is not vulnerable.


FreeBSD, Inc.
=============
We have released an advisory dated 1997-01-18, FreeBSD-SA-96:21.

The advisory can be found at:
ftp://freebsd.org/pub/CERT/advisories/FreeBSD-SA-96:21.talkd.asc

Patches are available at:
ftp://freebsd.org/pub/CERT/patches/SA-96:21



Hewlett-Packard Company
=======================
HPSBUX9704-061
HEWLETT-PACKARD SECURITY BULLETIN: #00061

Description: Security Vulnerability in talkd

Security Bulletins are available from the HP Electronic
Support Center via electronic mail.

User your browser to get to the HP Electronic Support
Center page at:

https://us-support.external.hp.com
(for US, Canada, Asia-Pacific, & Latin-America)

https://europe-support.external.hp.com
(for Europe)



IBM Corporation
===============
The version of talkd shipped with AIX is vulnerable to the conditions
described in this advisory. The APARs listed below will be available
shortly. It is recommended that the talkd daemon be turned off until
the APARs are applied.

AIX 3.2: APAR IX65474
AIX 4.1: APAR IX65472
AIX 4.2: APAR IX65473

To Order
--------
APARs may be ordered using Electronic Fix Distribution (via FixDist)
or from the IBM Support Center. For more information on FixDist,
reference URL:

https://service.software.ibm.com/aixsupport/

or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist".


IBM and AIX are registered trademarks of International Business Machines
Corporation.


Linux
======
This bug was fixed in Linux NetKit 0.08 which is shipped with all reasonably
up to date Linux distributions. Linux users using NetKit 0.07 or earlier
should upgrade to NetKit 0.09. NetKit 0.09 has fixed other bugs and it is
strongly recommended Linux users upgrade from NetKit 0.08 to NetKit
0.09. This is available from
ftp://ftp.uk.linux.org/pub/linux/Networking/base/NetKit-0.09.tar.gz

Some vendors have opted to issue NetKit 0.08 with additional fixes rather
than 0.09. Consult your vendor for detailed information.

The Linux community would like to thank David A Holland for his continuing
work on Linux network security.


NEC Corporation
===============
UX/4800 Vulnerable for all versions.
EWS-UX/V(Rel4.2MP) Vulnerable for all versions.
EWS-UX/V(Rel4.2) Vulnerable for all versions.
UP-UX/V(Rel4.2MP) Vulnerable for all versions.

Patches for these vulnerabilities are in progress.

Contacts for further information by e-mail:

UX48-security-support@nec.co.jp


The Santa Cruz Operation, Inc. (SCO)
====================================
SCO is investigating the problem with talkd and will provide updated
information for this advisory as it becomes available. At this time SCO
recommends disabling talkd on your SCO system as described herein.


Silicon Graphics Inc. (SGI)
===========================

For additional information refer to the Silicon Graphics Inc. Security
Advisory Number 19970701-01-PX.

The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its
mirror, ftp.sgi.com. Security information and patches can be found in
the ~ftp/security and ~ftp/patches directories, respectfully.


Solbourne (Grumman System Support)
==================================
We have examined the Solbourne implementation and found that
it is vulnerable. Solbourne distributed the Sun application
under license. We will distribute a Solbourne patch based
on the Sun patch when it becomes available. For the latest
information on our patches go to https://ftp.nts.gssc.com/solbourne.html

The workaround of disabling in.talkd can be used.
as root:

/etc/inetd.conf - comment out the talkd program
# ps -aux | grep inetd | grep -v grep
# kill -HUP {inetd PID listed in output of last command}


Sun Microsystems, Inc.
======================

For additional information refer to the Sun Microsystems,
Inc. Security Bulletin Number #00147.

Patches are available to all Sun customers via World Wide Web at:

ftp://sunsolve1.sun.com/pub/patches/patches.html

Customers with Sun support contracts can also obtain patches from local
Sun answer centers and SunSITEs worldwide.

Sun security bulletins are available via World Wide Web at:

https://sunsolve1.sun.com/sunsolve/secbulletins


- -----------------------------------------------------------------------------
The CERT Coordination Center thanks AUSCERT for their contribution to this
advisory, including the bulk of the problem description (which appeared in
AUSCERT advisory AA-97.01), and thanks the vendors listed in Appendix A for
their contributions.
- -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see ftp://info.cert.org/pub/FIRST/first-contacts).


CERT/CC Contact Information
- ----------------------------
Email cert@cert.org

Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
and are on call for emergencies during other hours.

Fax +1 412-268-6989

Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA

Using encryption
We strongly urge you to encrypt sensitive information sent by email. We can
support a shared DES key or PGP. Contact the CERT/CC for more information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key

Getting security information
CERT publications and other security information are available from
https://www.cert.org/
ftp://info.cert.org/pub/

CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce

To be added to our mailing list for advisories and bulletins, send your
email address to
cert-advisory-request@cert.org

- ------------------------------------------------------------------------------

Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
https://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.


- ---------------------------------------------------------------------------

This file: ftp://info.cert.org/pub/cert_advisories/CA-97.04.talkd
https://www.cert.org
click on "CERT Advisories"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history

September 26, 1997 Updated copyright statement
July 28, 1997 Appendix A - updated patch information for Silicon
Graphics, Inc. and Sun Microsystems, Inc.

May 8, 1997 Appendix A - updated patch information for Hewlett-Packard.

Feb. 7, 1997 Appendix A - added an entry for Cisco Systems.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNDo7pXVP+x0t4w7BAQHAoAP/Q2YpyWth44xmIvE37CAQzTYntEmDLZ5T
jWqxReA0uSnCCYcCkELeAb7LJrH+lV/JM2EPiktObatLwR7TIjAXTSA9anLAkFmz
BtrQWw+YZXiV90Rf7lMnFU4Eb6McFoYiTpP7qFm0ibDBaNSZNnGHeWBGrvZp8Tjh
SyEpjH4qYvI=
=yy9D
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close