-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AA-97.01 AUSCERT Advisory talkd Buffer Overrun Vulnerability 17 January 1997 Last Revised: 25 July, 1997 Updated vendor information for Silicon Graphics Inc. and Sun Microsystems, Inc. in Appendix A A complete revision history is at the end of this file. - --------------------------------------------------------------------------- AUSCERT has received information that there is a vulnerability in talkd. This vulnerability may allow remote users to gain root privileges. Exploit information regarding this vulnerability has been made publicly available. The vulnerabilities in the talkd program affect numerous vendors and platforms. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible. This advisory will be updated as more information becomes available. - --------------------------------------------------------------------------- 1. Description AUSCERT has received information of a vulnerability in the talkd(8) program used by talk(1). talk is a communication program which copies text from one users terminal to that of another, possibly remote, user. talkd is the daemon that notifies a user that someone else wishes to initiate a conversation. As part of the talk connection, talkd does a DNS lookup for the hostname of the host where the connection is being initiating from. Due to insufficient bounds checking on the buffer where the hostname is stored, it is possible to overwrite the internal stack space of talkd. By carefully manipulating the hostname information, it is possible to force talkd to execute arbitrary commands. As talkd runs with root privileges, this may allow intruders to remotely execute arbitrary commands with these privileges. This attack requires an intruder to be able to make a network connection to a vulnerable talkd program and provide corrupt DNS information to that host. This type of attack is a particular instance of the problem described in CERT advisory CA-96.04 "Corrupt Information from Network Servers". This advisory is available from: ftp://ftp.auscert.org.au/pub/cert/cert_advisories/ ftp://info.cert.org/pub/cert_advisories/ Sites should be aware that there are two different versions of the talkd program. Depending on your system, they make take any of the following names: talkd, otalkd, ntalkd. Sites can check whether they are allowing talk sessions by checking /etc/inetd.conf: # grep -i talk /etc/inetd.conf | grep -v '^#' Exploit information involving this vulnerability has been made publicly available. 2. Impact Intruders may be able to remotely execute arbitrary commands with root privileges. 3. Workarounds/Solution AUSCERT recommends that sites prevent the possible exploitation of this vulnerability by immediately disabling any talkd program(s). Vendor information about the vulnerability described in this advisory is provided in Section 3.2. CERT/CC has released advisory CA-97.04 concerning this vulnerability in talkd. This advisory contains more specific information on defending against this general type of DNS attack. Sites are encouraged to review this document. It can be retrieved from: ftp://info.cert.org/pub/cert_advisories/CA-97.04.talkd ftp://ftp.auscert.org.au/pub/cert/cert_advisories/CA-97.04.talkd 3.1 Disable talkd program(s) Sites should disable any talkd programs found in /etc/inetd.conf by commenting those lines out and restarting inetd. Example commands executed as root: # grep -i talk /etc/inetd.conf talk dgram udp wait root /usr/etc/in.talkd in.talkd All references to talkd, otalkd or ntalkd should be commented out. Comments in /etc/inetd.conf begin with "#". After editing /etc/inetd.conf, sites should restart inetd. On many Unix systems, this is done by sending the inetd process a HUP signal. For SYSV: # ps -ef | grep inetd | grep -v grep # kill -HUP {inetd PID} For BSD: # ps -aux | grep inetd | grep -v grep # kill -HUP {inetd PID} 3.2 Vendor information The following vendors have provided information concerning the vulnerability status of their talkd. Detailed information has been appended in Appendix A. If your vendor is not listed below, you should contact your vendor directly. Berkeley Software Design, Inc. (BSDI) Data General Corporation FreeBSD, Inc Hewlett Packard IBM Corporation Linux NEC Corporation NetBSD Project The OpenBSD project Red Hat Software The Santa Cruz Operation, Inc. (SCO) Silicon Graphics Inc. (SGI) Solbourne (Grumman System Support) Sun Microsystems, Inc. 4. Additional measures Most Unix systems ship with numerous network services enabled. Often the functionality supplied by these network services is not required by many sites. The large number of network services that are enabled by default are to cater for all possible uses of the system. AUSCERT encourages sites to examine all the network services which are enabled and determine the necessity of each service. Sites can determine what services are being offered by using netstat(1). If a service is not required at your site, then it should be disabled. For those services which are required, sites should consider restricting access to only hosts which need those services. This may done on a network level by placing access controls at a site's router or firewall. In addition, sites should consider using the tcp_wrappers program to provide access control and additional logging for individual hosts. tcp_wrappers is available from: ftp://ftp.auscert.org.au/pub/mirrors/ftp.win.tue.nl/tcp_wrappers/ ftp://ftp.win.tue.nl/pub/security/ Note that while the use of tcp_wrappers is recommended because it increases security in general, it may not prevent this vulnerability being exploited. ........................................................................... Appendix A Vendor information Below is a list of the vendors who have provided information for this advisory. We will update this appendix as we receive additional information. If your vendor is not listed below, or you require further vendor information, please contact the vendor directly. Berkeley Software Design, Inc. (BSDI) ===================================== The version of ntalkd in BSD/OS is vulnerable to this problem and an official patch is available from the email server or via anonymous ftp at: ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/U210-035 Data General Corporation ======================== Data General is not vulnerable. FreeBSD, Inc. ============= FreeBSD versions 1.0, 1.1, 2.1.0, 2.1.5, 2.1.6, 2.1.6.1 are all affected by the talkd vulnerability described in this advisory. This has been fixed in version 2.2-current as of 1997-01-18 and 2.1-stable as of 1997-01-18. The FreeBSD Security Team have released an advisory and patch information for this talkd vulnerability. This advisory (FreeBSD-SA-96:21.talkd) is available from: ftp://freebsd.org/pub/CERT/advisories/FreeBSD-SA-96:21.talkd.asc Patches are available from: ftp://freebsd.org/pub/CERT/patches/SA-96:21/ Hewlett Packard =============== HPSBUX9704-061 HEWLETT-PACKARD SECURITY BULLETIN: #00061 Description: Security Vulnerability in talkd Security Bulletins are available from the HP Electronic Support Center via electronic mail. User your browser to get to the HP Electronic Support Center page at: http://us-support.external.hp.com (for US, Canada, Asia-Pacific, & Latin-America) http://europe-support.external.hp.com (for Europe) IBM Corporation =============== The version of talkd shipped with AIX is vulnerable to the conditions described in this advisory. The APARs listed below will be available shortly. It is recommended that the talkd daemon be turned off until the APARs are applied. AIX 3.2: APAR IX65474 AIX 4.1: APAR IX65472 AIX 4.2: APAR IX65473 To Order -------- APARs may be ordered using Electronic Fix Distribution (via FixDist) or from the IBM Support Center. For more information on FixDist, reference URL: http://service.software.ibm.com/aixsupport/ or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist". IBM and AIX are registered trademarks of International Business Machines Corporation. Linux ===== NetKit: ~~~~~~ This vulnerability in talkd was fixed in Linux NetKit-B-0.07. The current version is NetKit-0.09 and contains this and other security fixes. NetKit-0.09 updates NetKit-B-0.08. The current version of NetKit is available from: ftp://ftp.uk.linux.org/pub/linux/Networking/base Red Hat Software: ~~~~~~~~~~~~~~~~ Linux RedHat 4.0 and later versions are not vulnerable to problem. Users of RedHat Linux earlier than 4.0 should update to 4.0 and then apply all available security patches. NEC Corporation =============== UX/4800 Vulnerable for all versions. EWS-UX/V(Rel4.2MP) Vulnerable for all versions. EWS-UX/V(Rel4.2) Vulnerable for all versions. UP-UX/V(Rel4.2MP) Vulnerable for all versions. Patches for these vulnerabilities are in progress. Contacts for further information by e-mail: UX48-security-support@nec.co.jp NetBSD Project ============== This vulnerability in talkd was identified and fixed in NetBSD on July 17, 1996. Neither NetBSD 1.2 nor NetBSD-current is susceptible to it. The OpenBSD Project =================== OpenBSD 2.0 is not susceptible to the vulnerabilities described in this advisory. The Santa Cruz Operation, Inc. (SCO) ==================================== SCO is investigating the problem with talkd and will provide updated information for this advisory as it becomes available. At this time SCO recommends disabling talkd on your SCO system as described herein. Silicon Graphics Inc. (SGI) =========================== SGI Security Advisory 19970701-01-PX Description: talkd Vulnerability This security advisory is available electronically from Silicon Graphics Inc. at: ftp://sgigate.sgi.com/security/19970701-01-PX Solbourne (Grumman System Support) ================================== We have examined the Solbourne implementation and found that it is vulnerable. Solbourne distributed the Sun application under license. We will distribute a Solbourne patch based on the Sun patch when it becomes available. For the latest information on our patches go to http://ftp.nts.gssc.com/solbourne.html The workaround of disabling in.talkd can be used. as root: /etc/inetd.conf - comment out the talkd program # ps -aux | grep inetd | grep -v grep # kill -HUP {inetd PID listed in output of last command} Sun Microsystems, Inc. ====================== Sun Security Bulletin #00147 Description: Vulnerability in talkd This security advisory is available electronically from Sun Microsystems, Inc. at: http://sunsolve.sun.com/sunsolve/secbulletins/ ........................................................................... - --------------------------------------------------------------------------- AUSCERT thanks the vendor community for their response, SNI for their initial involvement, Alexander O. Yuriev, and CERT/CC. AUSCERT also thanks David A. Holland for his contributions. - --------------------------------------------------------------------------- The AUSCERT team have made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AUSCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au/. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team c/- Prentice Centre The University of Queensland Brisbane Qld. 4072. AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History 25 July, 1997 Updated patch information for Silicon Graphics Inc. and Sun Microsystems, Inc. in Appendix A. 12 May, 1997 Updated patch information for Hewlett-Packard in Appendix A. 31 Jan, 1997 Added a pointer to CA-97.04, the CERT/CC advisory released on this talkd vulnerability. Also added other vendor information that was released in CERT's advisory. 20 Jan, 1997 Added vendor information for FreeBSD and NetBSD. Made minor editorial changed, and updated the acknowledgement section. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBM9iNKSh9+71yA2DNAQHtLwP/ZDEsgfkBQ/f530ChUu/WH444qnLTdg60 PsFmsHacyXmw4VABxA9Cz28El4lF7f8DujhWnmuOiP2mSZIs1qW6+v7/bDKzH81u eOTDYgAVniiraHGnE9GEu9HbKM4d1vEOKLwXh+oGE/+wivpVFjQeUKfQJvrhT+58 w1gM+CdHuKk= =uqKx -----END PGP SIGNATURE-----