SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Talkd Vendors:   NetBSD
(NetBSD Issues Fix) Re: Talkd Buffer Overflow May Let Remote Execute Arbitrary Code
SecurityTracker Alert ID:  1005379
SecurityTracker URL:  http://securitytracker.com/id/1005379
CVE Reference:   CAN-2002-1194   (Links to External Site)
Updated:  Dec 15 2003
Original Entry Date:  Oct 8 2002
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A buffer overflow vulnerability was reported in the 'talkd' talk daemon. A user may be able to overrun the buffer to execute arbitrary code with root privileges.

It is reported that a remote user (if talkd is enabled for remote communications) can send specially crafted data to talkd to trigger the overflow. It is possible that the remote user could cause arbitrary code to be executed with root privileges.

According to the report, talkd does not properly check some inbound messages and may make an unbounded copy of user-supplied data into a destination buffer that is not large enough.

The report credits xs@kittenz.org with reporting this flaw.
Impact:   A remote user may be able to execute arbitrary code with root privileges.
Solution:   NetBSD has issued a fix.

The following instructions describe how to upgrade your talkd binaries by updating your source tree and rebuilding and installing a new version of talkd.

* NetBSD-current:

Systems running NetBSD-current dated from before 2002-09-20 should be upgraded to NetBSD-current dated 2002-09-20 or later.

The following directories need to be updated from the netbsd-current CVS branch (aka HEAD):
libexec/talkd

To update from CVS, re-build, and re-install talkd:
# cd src
# cvs update -d -P libexec/talkd
# cd libexec/talkd

# make cleandir dependall
# make install


* NetBSD 1.6:

Systems running NetBSD 1.6 branch dated from before 2002-10-03 should be upgraded to NetBSD 1.6 branch dated 2002-10-03 or later.

The following directories need to be updated from the netbsd-1-6 CVS branch:
libexec/talkd

To update from CVS, re-build, and re-install talkd:
# cd src
# cvs update -d -P -r netbsd-1-6 libexec/talkd
# cd libexec/talkd

# make cleandir dependall
# make install


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

Systems running NetBSD 1.5 branch dated from before 2002-09-20 should be upgraded to NetBSD 1.5 branch dated 2002-09-20 or later.

The following directories need to be updated from the netbsd-1-5 CVS branch:
libexec/talkd

To update from CVS, re-build, and re-install talkd:
# cd src
# cvs update -d -P -r netbsd-1-5 libexec/talkd
# cd libexec/talkd

# make cleandir dependall
# make install
Vendor URL:  www.NetBSD.ORG/Security/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   UNIX (NetBSD)

Message History:   This archive entry is a follow-up to the message listed below.
Oct 8 2002 Talkd Buffer Overflow May Let Remote Execute Arbitrary Code


 Source Message Contents
Date:  Tue, 08 Oct 2002 14:27:47 +0900
Subject:  [Full-Disclosure] NetBSD Security Advisory 2002-019: Buffer overrun in talkd


-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-019
		 =================================

Topic:		Buffer overrun in talkd

Version:	NetBSD-current:	source prior to September 20, 2002
		NetBSD 1.6:	affected
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected

Severity:	Possible local root compromise (not confirmed)

Fixed:		NetBSD-current:		September 20, 2002
		NetBSD-1.6 branch:	October 3, 2002
					(1.6.1 will include the fix)
		NetBSD-1.5 branch:	September 20, 2002


Abstract
========

Rogue talk client is able to cause talkd to overrun the buffer,
and could be able to compromise root privilege of the machine running talkd.

Actual attack script is yet to be found.


Technical Details
=================

talkd did not make proper check against inbound messages and can make
unbounded copy into a destination buffer.


Solutions and Workarounds
=========================

To remedy this problem, talkd binary has to be updated to the latest one.

The following instructions describe how to upgrade your talkd
binaries by updating your source tree and rebuilding and
installing a new version of talkd.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-09-20
	should be upgraded to NetBSD-current dated 2002-09-20 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		libexec/talkd

	To update from CVS, re-build, and re-install talkd:
		# cd src
		# cvs update -d -P libexec/talkd
		# cd libexec/talkd

		# make cleandir dependall
		# make install


* NetBSD 1.6:

	Systems running NetBSD 1.6 branch dated from before 2002-10-03
	should be upgraded to NetBSD 1.6 branch dated 2002-10-03 or later.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		libexec/talkd

	To update from CVS, re-build, and re-install talkd:
		# cd src
		# cvs update -d -P -r netbsd-1-6 libexec/talkd
		# cd libexec/talkd

		# make cleandir dependall
		# make install


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	Systems running NetBSD 1.5 branch dated from before 2002-09-20
	should be upgraded to NetBSD 1.5 branch dated 2002-09-20 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		libexec/talkd

	To update from CVS, re-build, and re-install talkd:
		# cd src
		# cvs update -d -P -r netbsd-1-5 libexec/talkd
		# cd libexec/talkd

		# make cleandir dependall
		# make install


Thanks To
=========

xs@kittenz.org


Revision History
================

	2002-10-08	Initial release


More Information
================

Advisories may be updated as new information comes to hand.  The most
recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-019.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-019.txt,v 1.6 2002/10/08 03:43:35 itojun Exp $


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPaJUWj5Ru2/4N2IFAQHlxAP/cRktEeD1NK4UjLK3wFWcz+wdEWY6e1KM
s4DMRD0Jf123A4/yXEA7pzBImhP+guvJu5FE+AVEhLWozursc/0lhaBedl4pJXp5
dZjgaK+iE+EiVeXPZhNKquAYxO5dYFk0TS4MYUWtBh9DhgXYxtF08jTq0JMKuAGu
HGjCuPb8rvc=
=PZcD
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC