From labs@ngsec.com Fri May 24 04:31:58 2002 From: NGSEC Research Team To: vulnwatch@vulnwatch.org Date: Thu, 23 May 2002 21:13:20 +0200 (CEST) Subject: [VulnWatch] [NGSEC-2002-3] Solaris in.talkd remote root compromise [The following text is in the "ISO-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Next Generation Security Technologies http://www.ngsec.com Security Advisory Title: Solaris in.talkd, remote root compromise ID: NGSEC-2002-3 Application: in.talkd on Solaris 9ea or older (http://www.sun.com) Date: 23/05/2002 Status: Due to parallel release of bug, vendor not contacted. Platform: Solaris Author: Fermín J. Serna Location: http://www.ngsec.com/docs/advisories/NGSEC-2002-3.txt Overview: - --------- Sun Solaris in.talkd is vulnerable to a format string bug which can be exploited remotely. An attacker can request a talk session with a especially crafted luser field able to write memory and gain control of the flow of the in.talkd. This vulnerability can also be exploited with the field clt_addr and its resolved name (in conjuction with a DNS). GOBBLES discovered this bug (Who was first? ;), and reported this to bugtraq. They did not say solaris was vulnerable. Technical description: - ---------------------- Sun Solaris in.talkd is a daemon installed and enabled by default on all Solaris 2.* systems. This daemon contains a format string bug in the following line at in.talkd/announce.c print_mesg(FILE *tf, CTL_MSG *request, char *remote_machine) { ... fprintf(tf, big_buf); ... } in.talkd calls print mesg from: main()->process_request()->do_announce()->announce()->announce_proc()->print_mesg() This code lacks of format string. Since "big_buf" contains some user supplied data such as luser, an attacker can query in.talkd server with a luser field containing a malign format string (%n). NGSEC has developed an exploit for this vulnerability but we are not going to release it for obvious reasons (remote root compromise to a widely spread application). Proof of vulnerability: - ----------------------- On the attacker machine: piscis:~/lots-of-0days/sun-talkd# rusers -l ultra root ultra:pts/0 May 15 14:56 :01 (piscis) piscis:~/lots-of-0days/sun-talkd# ./talkd-x --test "%#x %#x" ultra root Solaris (up to 9ea) in.talkd xploit by Fermín J. Serna Next Generation Security Technologies http://www.ngsec.com Entering test mode Talk request from "%#x %#x:127.0.0.1" to "root:ultra" sent!. piscis:~/lots-of-0days/sun-talkd# On the solaris machine: ultra:/# uname -a SunOS ultra 5.7 Generic_106541-19 sun4u sparc SUNW,Ultra-5_10 ultra:/# Message from Talk_Daemon@ultra at 15:01 ... talk: connection requested by 0xa 0x14@localhost. talk: respond with: talk 0x5 0xffbef980@localhost ultra:/# Recommendations: - ---------------- Chmod 000 in.talkd and wait for sun's patch. More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/ PGP Key: http://www.ngsec.com/pgp/labs.asc (c)Copyright 2002 NGSEC. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQE87T9VKrwoKcQl8Y4RAkOPAJ9fcoRI6oe8uD3uiixeVjMmpEIsSwCff67T HefwTXQSKM8ygNo3ZgbVV9c= =DE1f -----END PGP SIGNATURE-----