Date: 25 July 1997
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-97.01 AUSCERT Advisory
talkd Buffer Overrun Vulnerability
17 January 1997
Last Revised: 25 July, 1997
Updated vendor information for Silicon Graphics Inc.
and Sun Microsystems, Inc. in Appendix A
A complete revision history is at the end of this file.
- ---------------------------------------------------------------------------
AUSCERT has received information that there is a vulnerability in talkd.
This vulnerability may allow remote users to gain root privileges.
Exploit information regarding this vulnerability has been made publicly
available.
The vulnerabilities in the talkd program affect numerous vendors and
platforms. AUSCERT recommends that sites take the steps outlined in
section 3 as soon as possible.
This advisory will be updated as more information becomes available.
- ---------------------------------------------------------------------------
1. Description
AUSCERT has received information of a vulnerability in the talkd(8)
program used by talk(1). talk is a communication program which copies
text from one users terminal to that of another, possibly remote, user.
talkd is the daemon that notifies a user that someone else wishes
to initiate a conversation.
As part of the talk connection, talkd does a DNS lookup for the
hostname of the host where the connection is being initiating from.
Due to insufficient bounds checking on the buffer where the hostname
is stored, it is possible to overwrite the internal stack space of
talkd. By carefully manipulating the hostname information, it is
possible to force talkd to execute arbitrary commands. As talkd runs
with root privileges, this may allow intruders to remotely execute
arbitrary commands with these privileges.
This attack requires an intruder to be able to make a network
connection to a vulnerable talkd program and provide corrupt
DNS information to that host.
This type of attack is a particular instance of the problem described
in CERT advisory CA-96.04 "Corrupt Information from Network Servers".
This advisory is available from:
ftp://ftp.auscert.org.au/pub/cert/cert_advisories/
ftp://info.cert.org/pub/cert_advisories/
Sites should be aware that there are two different versions of the
talkd program. Depending on your system, they make take any of the
following names: talkd, otalkd, ntalkd.
Sites can check whether they are allowing talk sessions by checking
/etc/inetd.conf:
# grep -i talk /etc/inetd.conf | grep -v '^#'
Exploit information involving this vulnerability has been made
publicly available.
2. Impact
Intruders may be able to remotely execute arbitrary commands with root
privileges.
3. Workarounds/Solution
AUSCERT recommends that sites prevent the possible exploitation of
this vulnerability by immediately disabling any talkd program(s).
Vendor information about the vulnerability described in this advisory
is provided in Section 3.2.
CERT/CC has released advisory CA-97.04 concerning this vulnerability in
talkd. This advisory contains more specific information on defending
against this general type of DNS attack. Sites are encouraged to
review this document. It can be retrieved from:
ftp://info.cert.org/pub/cert_advisories/CA-97.04.talkd
ftp://ftp.auscert.org.au/pub/cert/cert_advisories/CA-97.04.talkd
3.1 Disable talkd program(s)
Sites should disable any talkd programs found in /etc/inetd.conf
by commenting those lines out and restarting inetd.
Example commands executed as root:
# grep -i talk /etc/inetd.conf
talk dgram udp wait root /usr/etc/in.talkd in.talkd
All references to talkd, otalkd or ntalkd should be commented out.
Comments in /etc/inetd.conf begin with "#".
After editing /etc/inetd.conf, sites should restart inetd. On many
Unix systems, this is done by sending the inetd process a HUP signal.
For SYSV:
# ps -ef | grep inetd | grep -v grep
# kill -HUP {inetd PID}
For BSD:
# ps -aux | grep inetd | grep -v grep
# kill -HUP {inetd PID}
3.2 Vendor information
The following vendors have provided information concerning the
vulnerability status of their talkd. Detailed information has been
appended in Appendix A. If your vendor is not listed below, you should
contact your vendor directly.
Berkeley Software Design, Inc. (BSDI)
Data General Corporation
FreeBSD, Inc
Hewlett Packard
IBM Corporation
Linux
NEC Corporation
NetBSD Project
The OpenBSD project
Red Hat Software
The Santa Cruz Operation, Inc. (SCO)
Silicon Graphics Inc. (SGI)
Solbourne (Grumman System Support)
Sun Microsystems, Inc.
4. Additional measures
Most Unix systems ship with numerous network services enabled. Often
the functionality supplied by these network services is not required
by many sites. The large number of network services that are enabled
by default are to cater for all possible uses of the system.
AUSCERT encourages sites to examine all the network services which
are enabled and determine the necessity of each service. Sites can
determine what services are being offered by using netstat(1).
If a service is not required at your site, then it should be disabled.
For those services which are required, sites should consider restricting
access to only hosts which need those services. This may done on a
network level by placing access controls at a site's router or firewall.
In addition, sites should consider using the tcp_wrappers program to
provide access control and additional logging for individual hosts.
tcp_wrappers is available from:
ftp://ftp.auscert.org.au/pub/mirrors/ftp.win.tue.nl/tcp_wrappers/
ftp://ftp.win.tue.nl/pub/security/
Note that while the use of tcp_wrappers is recommended because it
increases security in general, it may not prevent this vulnerability
being exploited.
...........................................................................
Appendix A Vendor information
Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional
information. If your vendor is not listed below, or you require further
vendor information, please contact the vendor directly.
Berkeley Software Design, Inc. (BSDI)
=====================================
The version of ntalkd in BSD/OS is vulnerable to this problem
and an official patch is available from the <patches@BSDI.COM>
email server or via anonymous ftp at:
ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/U210-035
Data General Corporation
========================
Data General is not vulnerable.
FreeBSD, Inc.
=============
FreeBSD versions 1.0, 1.1, 2.1.0, 2.1.5, 2.1.6, 2.1.6.1 are all
affected by the talkd vulnerability described in this advisory. This
has been fixed in version 2.2-current as of 1997-01-18 and 2.1-stable
as of 1997-01-18.
The FreeBSD Security Team have released an advisory and patch
information for this talkd vulnerability. This advisory
(FreeBSD-SA-96:21.talkd) is available from:
ftp://freebsd.org/pub/CERT/advisories/FreeBSD-SA-96:21.talkd.asc
Patches are available from:
ftp://freebsd.org/pub/CERT/patches/SA-96:21/
Hewlett Packard
===============
HPSBUX9704-061
HEWLETT-PACKARD SECURITY BULLETIN: #00061
Description: Security Vulnerability in talkd
Security Bulletins are available from the HP Electronic
Support Center via electronic mail.
User your browser to get to the HP Electronic Support
Center page at:
http://us-support.external.hp.com
(for US, Canada, Asia-Pacific, & Latin-America)
http://europe-support.external.hp.com
(for Europe)
IBM Corporation
===============
The version of talkd shipped with AIX is vulnerable to the conditions
described in this advisory. The APARs listed below will be available
shortly. It is recommended that the talkd daemon be turned off until
the APARs are applied.
AIX 3.2: APAR IX65474
AIX 4.1: APAR IX65472
AIX 4.2: APAR IX65473
To Order
--------
APARs may be ordered using Electronic Fix Distribution (via FixDist)
or from the IBM Support Center. For more information on FixDist,
reference URL:
http://service.software.ibm.com/aixsupport/
or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist".
IBM and AIX are registered trademarks of International Business
Machines Corporation.
Linux
=====
NetKit:
~~~~~~
This vulnerability in talkd was fixed in Linux NetKit-B-0.07. The
current version is NetKit-0.09 and contains this and other security
fixes. NetKit-0.09 updates NetKit-B-0.08.
The current version of NetKit is available from:
ftp://ftp.uk.linux.org/pub/linux/Networking/base
Red Hat Software:
~~~~~~~~~~~~~~~~
Linux RedHat 4.0 and later versions are not vulnerable to problem.
Users of RedHat Linux earlier than 4.0 should update to 4.0 and then
apply all available security patches.
NEC Corporation
===============
UX/4800 Vulnerable for all versions.
EWS-UX/V(Rel4.2MP) Vulnerable for all versions.
EWS-UX/V(Rel4.2) Vulnerable for all versions.
UP-UX/V(Rel4.2MP) Vulnerable for all versions.
Patches for these vulnerabilities are in progress.
Contacts for further information by e-mail:
UX48-security-support@nec.co.jp
NetBSD Project
==============
This vulnerability in talkd was identified and fixed in NetBSD on July
17, 1996. Neither NetBSD 1.2 nor NetBSD-current is susceptible to it.
The OpenBSD Project
===================
OpenBSD 2.0 is not susceptible to the vulnerabilities described
in this advisory.
The Santa Cruz Operation, Inc. (SCO)
====================================
SCO is investigating the problem with talkd and will provide updated
information for this advisory as it becomes available. At this time
SCO recommends disabling talkd on your SCO system as described herein.
Silicon Graphics Inc. (SGI)
===========================
SGI Security Advisory 19970701-01-PX
Description: talkd Vulnerability
This security advisory is available electronically from Silicon Graphics
Inc. at:
ftp://sgigate.sgi.com/security/19970701-01-PX
Solbourne (Grumman System Support)
==================================
We have examined the Solbourne implementation and found that
it is vulnerable. Solbourne distributed the Sun application
under license. We will distribute a Solbourne patch based
on the Sun patch when it becomes available. For the latest
information on our patches go to http://ftp.nts.gssc.com/solbourne.html
The workaround of disabling in.talkd can be used.
as root:
/etc/inetd.conf - comment out the talkd program
# ps -aux | grep inetd | grep -v grep
# kill -HUP {inetd PID listed in output of last command}
Sun Microsystems, Inc.
======================
Sun Security Bulletin #00147
Description: Vulnerability in talkd
This security advisory is available electronically from Sun Microsystems,
Inc. at:
http://sunsolve.sun.com/sunsolve/secbulletins/
...........................................................................
- ---------------------------------------------------------------------------
AUSCERT thanks the vendor community for their response, SNI for their
initial involvement, Alexander O. Yuriev, and CERT/CC. AUSCERT also thanks
David A. Holland for his contributions.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
25 July, 1997 Updated patch information for Silicon Graphics Inc. and
Sun Microsystems, Inc. in Appendix A.
12 May, 1997 Updated patch information for Hewlett-Packard in
Appendix A.
31 Jan, 1997 Added a pointer to CA-97.04, the CERT/CC advisory
released on this talkd vulnerability. Also added other
vendor information that was released in CERT's advisory.
20 Jan, 1997 Added vendor information for FreeBSD and NetBSD.
Made minor editorial changed, and updated the
acknowledgement section.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBM9iNKSh9+71yA2DNAQHtLwP/ZDEsgfkBQ/f530ChUu/WH444qnLTdg60
PsFmsHacyXmw4VABxA9Cz28El4lF7f8DujhWnmuOiP2mSZIs1qW6+v7/bDKzH81u
eOTDYgAVniiraHGnE9GEu9HbKM4d1vEOKLwXh+oGE/+wivpVFjQeUKfQJvrhT+58
w1gM+CdHuKk=
=uqKx
-----END PGP SIGNATURE-----
|