-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Next Generation Security Technologies http://www.ngsec.com Security Advisory Title: Solaris in.talkd, remote root compromise ID: NGSEC-2002-3 Application: in.talkd on Solaris 9ea or older (http://www.sun.com) Date: 23/05/2002 Status: Due to parallel release of bug, vendor not contacted. Platform: Solaris Author: Fermín J. Serna Location: http://www.ngsec.com/docs/advisories/NGSEC-2002-3.txt Overview: - ---------- Sun Solaris in.talkd is vulnerable to a format string bug which can be exploited remotely. An attacker can request a talk session with a especially crafted luser field able to write memory and gain control of the flow of the in.talkd. This vulnerability can also be exploited with the field clt_addr and its resolved name (in conjuction with a DNS). GOBBLES discovered this bug (Who was first? ;), and reported this to bugtraq. They did not say solaris was vulnerable. Technical description: - ----------------------- Sun Solaris in.talkd is a daemon installed and enabled by default on all Solaris 2.* systems. This daemon contains a format string bug in the following line at in.talkd/announce.c print_mesg(FILE *tf, CTL_MSG *request, char *remote_machine) { ... fprintf(tf, big_buf); ... } in.talkd calls print mesg from: main()->process_request()->do_announce()->announce()->announce_proc()->print_mesg() This code lacks of format string. Since "big_buf" contains some user supplied data such as luser, an attacker can query in.talkd server with a luser field containing a malign format string (%n). NGSEC has developed an exploit for this vulnerability but we are not going to release it for obvious reasons (remote root compromise to a widely spread application). Proof of vulnerability: - ------------------------ On the attacker machine: piscis:~/lots-of-0days/sun-talkd# rusers -l ultra root ultra:pts/0 May 15 14:56 :01 (piscis) piscis:~/lots-of-0days/sun-talkd# ./talkd-x --test "%#x %#x" ultra root Solaris (up to 9ea) in.talkd xploit by Fermín J. Serna Next Generation Security Technologies http://www.ngsec.com Entering test mode Talk request from "%#x %#x:127.0.0.1" to "root:ultra" sent!. piscis:~/lots-of-0days/sun-talkd# On the solaris machine: ultra:/# uname -a SunOS ultra 5.7 Generic_106541-19 sun4u sparc SUNW,Ultra-5_10 ultra:/# Message from Talk_Daemon@ultra at 15:01 ... talk: connection requested by 0xa 0x14@localhost. talk: respond with: talk 0x5 0xffbef980@localhost ultra:/# Recommendations: - ----------------- Chmod 000 in.talkd and wait for sun's patch. More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/ PGP Key: http://www.ngsec.com/pgp/labs.asc (c)Copyright 2002 NGSEC. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQE9SCFVKrwoKcQl8Y4RAsk+AJ4xKn/wiq+y1+NhNbWSJT2ZtX1HFQCaAxF1 cn3Cmzg6xp0r3cCp5cKTj3Y= =g4s+ -----END PGP SIGNATURE-----