BSD talkd Remote Format String Vulnerability
BID:1764
Info
BSD talkd Remote Format String Vulnerability
| Bugtraq ID: | 1764 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Oct 05 2000 12:00AM |
| Updated: | Oct 05 2000 12:00AM |
| Credit: | First posted to Bugtraq by K2 <[email protected]> on October 5, 2000. Followup with additional information posted to Bugtraq by Chris Evans <[email protected]> on October 6, 2000. |
| Vulnerable: |
SGI IRIX 6.5.9 SGI IRIX 6.5.8 SGI IRIX 6.5.7 SGI IRIX 6.5.6 SGI IRIX 6.5.5 SGI IRIX 6.5.4 SGI IRIX 6.5.3 SGI IRIX 6.5.2 SGI IRIX 6.5.1 SGI IRIX 6.5 Redhat Linux 5.2 sparc Redhat Linux 5.2 i386 Redhat Linux 5.2 alpha Redhat Linux 5.1 Redhat Linux 5.0 OpenBSD OpenBSD 2.7 OpenBSD OpenBSD 2.6 OpenBSD OpenBSD 2.5 OpenBSD OpenBSD 2.4 OpenBSD OpenBSD 2.3 KDE KDE 3.0.1 KDE KDE 3.0 KDE KDE 2.0 KDE KDE 1.1 |
| Not Vulnerable: |
SGI IRIX 6.5.16 SGI IRIX 6.5.15 SGI IRIX 6.5.14 SGI IRIX 6.5.13 SGI IRIX 6.5.12 SGI IRIX 6.5.11 SGI IRIX 6.5.10 Redhat Linux 7.0 Redhat Linux 6.2 sparc Redhat Linux 6.2 i386 Redhat Linux 6.2 alpha Redhat Linux 6.1 sparc Redhat Linux 6.1 i386 Redhat Linux 6.1 alpha Redhat Linux 6.0 sparc Redhat Linux 6.0 alpha Redhat Linux 6.0 OpenBSD OpenBSD 2.8 |
Discussion
BSD talkd Remote Format String Vulnerability
talkd is a client-server application shipped with many unix variants that is used for user communication between hosts on a network. The version of talkd that ships with older Linux distributions and OpenBSD (possibly others) is vulnerable to a remotely exploitatable format string vulnerability.
When a talk client connects to a talk server and requests communication with a user, talkd (the server program) will check to see whether the user is accepting messages. If so, it will print a message to the users terminal telling them that "username@hostname" wants to chat with them. This is done via an fprintf() function, which happens to have passed to it client-supplied data as part of the format string.
The fprintf() call, in announce.c, uses as its format string argument the caller's username and the remote host. The caller's username is provided in the datagram sent by the client. It is thus possible for an attacker to modify a talk client so that a username value containing malicious format specifiers is sent and overwrite memory on the remote server process' stack.
It may be possible to execute arbitrary code remotely, leading to a root compromise.
talkd is enabled by default in OpenBSD. NetBSD may be vulnerable (unverified), though their implementation method of writing to the users terminal in talkd is slightly different. FreeBSD may also be vulnerable to this attack.
talkd is a client-server application shipped with many unix variants that is used for user communication between hosts on a network. The version of talkd that ships with older Linux distributions and OpenBSD (possibly others) is vulnerable to a remotely exploitatable format string vulnerability.
When a talk client connects to a talk server and requests communication with a user, talkd (the server program) will check to see whether the user is accepting messages. If so, it will print a message to the users terminal telling them that "username@hostname" wants to chat with them. This is done via an fprintf() function, which happens to have passed to it client-supplied data as part of the format string.
The fprintf() call, in announce.c, uses as its format string argument the caller's username and the remote host. The caller's username is provided in the datagram sent by the client. It is thus possible for an attacker to modify a talk client so that a username value containing malicious format specifiers is sent and overwrite memory on the remote server process' stack.
It may be possible to execute arbitrary code remotely, leading to a root compromise.
talkd is enabled by default in OpenBSD. NetBSD may be vulnerable (unverified), though their implementation method of writing to the users terminal in talkd is slightly different. FreeBSD may also be vulnerable to this attack.
Exploit / POC
BSD talkd Remote Format String Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution / Fix
BSD talkd Remote Format String Vulnerability
Solution:
A patch for this vulnerability has been in the KDE CVS tree since 2100 GMT May 21, 2002. The patched branches are KDE_2_2_BRANCH, KDE_3_0_BRANCH and HEAD.
KDE mentions that there are other problems with this code and suggests that users not use the service. KDE recommends users of older versions of KDE disable the ktalkd service entirely. The newest release of KDE, 3.0.1, does not include the relevant patches.
A patch for affected versions is available at ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7.tar.gz
This was fixed in OpenBSD 2.8.
OpenBSD OpenBSD 2.7
Solution:
A patch for this vulnerability has been in the KDE CVS tree since 2100 GMT May 21, 2002. The patched branches are KDE_2_2_BRANCH, KDE_3_0_BRANCH and HEAD.
KDE mentions that there are other problems with this code and suggests that users not use the service. KDE recommends users of older versions of KDE disable the ktalkd service entirely. The newest release of KDE, 3.0.1, does not include the relevant patches.
A patch for affected versions is available at ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7.tar.gz
This was fixed in OpenBSD 2.8.
OpenBSD OpenBSD 2.7
-
OpenBSD 2.7.tar.gz
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7.tar.gz
References
BSD talkd Remote Format String Vulnerability
References:
References: