-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Gert Meijerink Index : S-97-03 Distribution : World Page : Classification: External Version: Subject : talkd Buffer Overrun Vulnerability Date : 17-jan-97 =============================================================================== By courtesy of AUSCERT, the Australian CERT, we received information on a vulnerability in talkd. This information is made publicly available by AUSCERT advisory AA-97.01, dated 17-jan-97 CERT-NL recommends that sites apply the steps outlines in Section 3. Keywords: talkd =============================================================================== AA-97.01 AUSCERT Advisory talkd Buffer Overrun Vulnerability 17 January 1997 Last Revised: -- - - --------------------------------------------------------------------------- AUSCERT has received information that there is a vulnerability in talkd. This vulnerability may allow remote users to gain root privileges. Exploit information regarding this vulnerability has been made publicly available. The vulnerabilities in the talkd program affect numerous vendors and platforms. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible. This advisory will be updated as more information becomes available. - - --------------------------------------------------------------------------- 1. Description AUSCERT has received information of a vulnerability in the talkd(8) program used by talk(1). talk is a communication program which copies text from one users terminal to that of another, possibly remote, user. talkd is the daemon that notifies a user that someone else wishes to initiate a conversation. As part of the talk connection, talkd does a DNS lookup for the hostname of the host where the connection is being initiating from. Due to insufficient bounds checking on the buffer where the hostname is stored, it is possible to overwrite the internal stack space of talkd. By carefully manipulating the hostname information, it is possible to force talkd to execute arbitrary commands. As talkd runs with root privileges, this may allow intruders to remotely execute arbitrary commands with these privileges. This attack requires an intruder to be able to make a network connection to a vulnerable talkd program and provide corrupt DNS information to that host. This type of attack is a particular instance of the problem described in CERT advisory CA-96.04 "Corrupt Information from Network Servers". This advisory is available from: ftp://ftp.auscert.org.au/pub/cert/cert_advisories/ ftp://info.cert.org/pub/cert_advisories/ Sites should be aware that there are two different versions of the talkd program. Depending on your system, they make take any of the following names: talkd, otalkd, ntalkd. Sites can check whether they are allowing talk sessions by checking /etc/inetd.conf: # grep -i talk /etc/inetd.conf | grep -v '^#' Exploit information involving this vulnerability has been made publicly available. 2. Impact Intruders may be able to remotely execute arbitrary commands with root privileges. 3. Workarounds/Solution AUSCERT recommends that sites prevent the possible exploitation of this vulnerability by immediately disabling any talkd program(s). Vendor information about the vulnerability described in this advisory is provided in Section 3.2. 3.1 Disable talkd program(s) Sites should disable any talkd programs found in /etc/inetd.conf by commenting those lines out and restarting inetd. Example commands executed as root: # grep -i talk /etc/inetd.conf talk dgram udp wait root /usr/etc/in.talkd in.talkd All references to talkd, otalkd or ntalkd should be commented out. Comments in /etc/inetd.conf begin with "#". After editing /etc/inetd.conf, sites should restart inetd. On many Unix systems, this is done by sending the inetd process a HUP signal. For SYSV: # ps -ef | grep inetd | grep -v grep # kill -HUP {inetd PID} For BSD: # ps -aux | grep inetd | grep -v grep # kill -HUP {inetd PID} 3.2 Vendor information Below is a list of vendors which are known to be affected by the talkd vulnerability described in this advisory: Hewlett Packard Berkeley Software Design, Inc. (BSDI) The following vendors have informed AUSCERT that they are not vulnerable. The OpenBSD project (OpenBSD 2.0) RedHat Linux (RedHat Linux 4.0 and above) If your vendor's name is not listed above, please contact your vendor directly. 4. Additional measures Most Unix systems ship with numerous network services enabled. Often the functionality supplied by these network services is not required by many sites. The large number of network services that are enabled by default are to cater for all possible uses of the system. AUSCERT encourages sites to examine all the network services which are enabled and determine the necessity of each service. Sites can determine what services are being offered by using netstat(1). If a service is not required at your site, then it should be disabled. For those services which are required, sites should consider restricting access to only hosts which need those services. This may done on a network level by placing access controls at a site's router or firewall. In addition, sites should consider using the tcp_wrappers program to provide access control and additional logging for individual hosts. tcp_wrappers is available from: ftp://ftp.auscert.org.au/pub/mirrors/ftp.win.tue.nl/tcp_wrappers/ ftp://ftp.win.tue.nl/pub/security/ Note that while the use of tcp_wrappers is recommended because it increases security in general, it may not prevent this vulnerability being exploited. ........................................................................... Appendix A Vendor information This appendix will be updated as we receive additional information. If your vendor is not listed below, or you require further vendor information, please contact the vendor directly. Berkeley Software Design, Inc. (BSDI) ===================================== The version of ntalkd in BSD/OS is vulnerable to this problem and an official patch is available from the email server or via anonymous ftp at: ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/U210-035 Hewlett Packard =============== The HP-UX 10.X version of talkd is vulnerable to this problem. talkd was not released under HP-UX 9.x. There are no patches available at this time. Linux ===== This vulnerability in talkd was fixed in Linux NetKit-B-0.07. The current version is NetKit-0.09 and contains this and other security fixes. NetKit-0.09 updates NetKit-B-0.08. The current version of NetKit is available from: ftp://ftp.uk.linux.org/pub/linux/Networking/base Linux RedHat 4.0 and later versions are not vulnerable to problem. The OpenBSD Project =================== OpenBSD 2.0 is not susceptible to the vulnerabilities described in this advisory. ........................................................................... - - --------------------------------------------------------------------------- AUSCERT thanks the vendor community for their response, SNI for their initial involvement, and CERT/CC. AUSCERT also thanks David Holland for his contributions. - - --------------------------------------------------------------------------- ============================================================================= CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl Phone: +31 302 305 305 Fax: +31 302 305 329 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: cp850 iQCVAwUBMt9tgUU5nQkWIq1FAQF30QP+I7XYXva4c79wJXQpIKjH7oN/qRHxBI2z bc3zBSMx+zKAdQ6rAZj1x9lUp8UfUMc76wmVCx+qCBgtKuv5stG0dJcguB1STjmu /ptVFyEQBx9bf09CrWLLQMVHE9JP0zVGv5Gy6qHusZqn7WnEb3dFrl0wXxP7kHe6 7ZkuwajalPI= =FMnZ -----END PGP SIGNATURE-----