OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: NGSEC Research Team (labsngsec.com)
Date: Thu May 23 2002 - 14:13:20 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                       Next Generation Security Technologies
                              http://www.ngsec.com
                                Security Advisory

           Title: Solaris in.talkd, remote root compromise
              ID: NGSEC-2002-3
     Application: in.talkd on Solaris 9ea or older (http://www.sun.com)
            Date: 23/05/2002
          Status: Due to parallel release of bug, vendor not contacted.
        Platform: Solaris
          Author: Fermín J. Serna <fjsernangsec.com>
        Location: http://www.ngsec.com/docs/advisories/NGSEC-2002-3.txt

    Overview:
    - ---------

    Sun Solaris in.talkd is vulnerable to a format string bug which can be
    exploited remotely. An attacker can request a talk session with a
    especially crafted luser field able to write memory and gain control of
    the flow of the in.talkd.

    This vulnerability can also be exploited with the field clt_addr and its
    resolved name (in conjuction with a DNS).

    GOBBLES discovered this bug (Who was first? ;), and reported this to
    bugtraq. They did not say solaris was vulnerable.

    Technical description:
    - ----------------------

    Sun Solaris in.talkd is a daemon installed and enabled by default on all
    Solaris 2.* systems. This daemon contains a format string bug in the
    following line at in.talkd/announce.c

    print_mesg(FILE *tf, CTL_MSG *request, char *remote_machine) {
    ...
            fprintf(tf, big_buf);
    ...
    }

    in.talkd calls print mesg from:

    main()->process_request()->do_announce()->announce()->announce_proc()->print_mesg()

    This code lacks of format string. Since "big_buf" contains some user supplied
    data such as luser, an attacker can query in.talkd server with a luser
    field containing a malign format string (%n).

    NGSEC has developed an exploit for this vulnerability but we are not going
    to release it for obvious reasons (remote root compromise to a widely
    spread application).

    Proof of vulnerability:
    - -----------------------

    On the attacker machine:

    piscis:~/lots-of-0days/sun-talkd# rusers -l ultra
    root ultra:pts/0 May 15 14:56 :01 (piscis)
    piscis:~/lots-of-0days/sun-talkd# ./talkd-x --test "%#x %#x" ultra root
    Solaris (up to 9ea) in.talkd xploit by Fermín J. Serna <fjsernangsec.com>
    Next Generation Security Technologies
    http://www.ngsec.com

    Entering test mode
    Talk request from "%#x %#x:127.0.0.1" to "root:ultra" sent!.
    piscis:~/lots-of-0days/sun-talkd#

    On the solaris machine:

    ultra:/# uname -a
    SunOS ultra 5.7 Generic_106541-19 sun4u sparc SUNW,Ultra-5_10
    ultra:/#

    Message from Talk_Daemonultra at 15:01 ...
    talk: connection requested by 0xa 0x14localhost.
    talk: respond with: talk 0x5 0xffbef980localhost

    ultra:/#

    Recommendations:
    - ----------------
    Chmod 000 in.talkd and wait for sun's patch.

    More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/
    PGP Key: http://www.ngsec.com/pgp/labs.asc

    (c)Copyright 2002 NGSEC. All rights reserved.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: Made with pgp4pine 1.76

    iD8DBQE87T9VKrwoKcQl8Y4RAkOPAJ9fcoRI6oe8uD3uiixeVjMmpEIsSwCff67T
    HefwTXQSKM8ygNo3ZgbVV9c=
    =DE1f
    -----END PGP SIGNATURE-----