Multiple vendor talkd announce.cpp dprint_mesg format string

linux-talkd-overwrite-root (5344)

High Risk

Description:

Talkd is vulnerable to a remote format string attack. An attacker can supply a malicious format string to the dpring_mesg function in the announce.cpp file to overwrite memory and execute arbitrary code on the system with root privileges.

Platforms Affected:

• OpenBSD, OpenBSD 2.x
• RedHat, Linux
• SGI, IRIX 6.5
• SGI, IRIX 6.5.1
• SGI, IRIX 6.5.2
• SGI, IRIX 6.5.3
• SGI, IRIX 6.5.4
• SGI, IRIX 6.5.5
• SGI, IRIX 6.5.6
• SGI, IRIX 6.5.7
• SGI, IRIX 6.5.8
• SGI, IRIX 6.5.9
• Sun, Solaris 2.5.1
• Sun, Solaris 2.6
• Sun, Solaris 7.0
• Sun, Solaris 8

Remedy:

Apply the talkd patch, as listed in OpenBSD Security Advisory, October 6, 2000. See References.

For Sun Solaris 2.5.1:
Apply patch 104692-02, as listed in Sun Alert ID: 44646. See References.

For Sun Solaris 2.6:
Apply patch 112814-01, as listed in Sun Alert ID: 44646. See References.

For SGI IRIX:
Upgrade to the latest version of IRIX (6.5.16 or later), as listed in SGI Security Advisory 20020603-01-I. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

• BugTraq Mailing List, Thu Oct 05 2000 - 18:00:16 CDT, talkd [WAS: Re: OpenBSD Security Advisory] at http://archives.neohapsis.com/archives/bugtraq/2000-10/0086.html.
• BugTraq Mailing List, Wed Oct 04 2000 - 02:31:03 CDT, Re: OpenBSD Security Advisory at http://archives.neohapsis.com/archives/bugtraq/2000-10/0059.html.
• Gobbles Security Advisory #35, Multiple Vendor Talkd Vulnerability at http://www.immunitysec.com/GOBBLES/advisories/GOBBLES-35.txt.
• Next Generation Security Technologies Security Advisory NGSEC-2002-3, Solaris in.talkd, remote root compromise at http://www.ngsec.com/docs/advisories/NGSEC-2002-3.txt.
• OpenBSD Security Advisory, October 6, 2000, A format string vulnerability exists in talkd(8). at http://www.openbsd.com/errata.html#talkd.
• SGI Security Advisory 20020603-01-I, talkd vulnerability at ftp://patches.sgi.com/support/free/security/advisories/20020603-01-I.
• Sun Security Alert 44646, Security Vulnerability in the in.talkd(1M) Daemon at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44646&zone_32=category%3Asecurity.
• BID-1764: BSD talkd Remote Format String Vulnerability
• CVE-2000-1010: Format string vulnerability in talkd in OpenBSD and possibly other BSD-based OSes allows remote attackers to execute arbitrary commands via a user name that contains format characters.

Reported:

Oct 05, 2000

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page