chrisSCARY.BEASTS.ORG

• Next message: Theo de Raadt: "Re: OpenBSD xlock exploit"
• Previous message: lunguz: "Re: OpenBSD xlock exploit"
• In reply to: K2: "Re: OpenBSD Security Advisory"
• Next in thread: Jeremy C. Reed: "Re: OpenBSD Security Advisory"
• Reply: Chris Evans: "talkd [WAS: Re: OpenBSD Security Advisory]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 4 Oct 2000, K2 wrote:

[...]

> OK, hold on a second.... The following "snip snip" is a little long...
> and I have not verified it, (a guaranteed DoS though).
>
> talkd, A DEFAULT service.

[...]

> *bptr = '\0';
> fprintf(tf, big_buf);
> fflush(tf);

This is in announce.c, function print_mesg(). "big_buf" contains, as far
as I can see, data supplied by the remote (for example the remote
username). %'s don't seem to get filtered

So, seeing this post I was concerned :-)

I've investigated things from a Linux point of view. Most Linux vendors
will be shipping talkd from the Linux netkit. Also, most Linux vendors
listen on the talkd port by default! Good news - current Linux netkit is
NOT VULNERABLE. Older versions (2+ yrs) are.

More version details;

RedHat-7.0; talk-0.17-7.src.rpm: SAFE (write(2) used)
...
        *bptr = 0;
        write(fd, big_buf, strlen(big_buf));
...

RedHat-6.0; talk-0.11-1.src.rpm: SAFE (write(2) used)
...
        *bptr = 0;
        write(fd, big_buf, strlen(big_buf));
...

RedHat-5.2; ntalk-0.10-4.src.rpm: POSSIBLY VULNERABLE
                                  (fprintf(3) used buggily)
...
        *bptr = 0;
        fprintf(tf, big_buf);
        fflush(tf);
...

Cheers
Chris

• Next message: Theo de Raadt: "Re: OpenBSD xlock exploit"
• Previous message: lunguz: "Re: OpenBSD xlock exploit"
• In reply to: K2: "Re: OpenBSD Security Advisory"
• Next in thread: Jeremy C. Reed: "Re: OpenBSD Security Advisory"
• Reply: Chris Evans: "talkd [WAS: Re: OpenBSD Security Advisory]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]