-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                   Next Generation Security Technologies
                          http://www.ngsec.com
                            Security Advisory


       Title:   Solaris in.talkd, remote root compromise
          ID:   NGSEC-2002-3
 Application:   in.talkd on Solaris 9ea or older (http://www.sun.com)
        Date:   23/05/2002
      Status:   Due to parallel release of bug, vendor not contacted.
    Platform:   Solaris
      Author:   Fermín J. Serna <fjserna@ngsec.com>
    Location:   http://www.ngsec.com/docs/advisories/NGSEC-2002-3.txt


Overview:
- ---------

Sun Solaris in.talkd is vulnerable to a format string bug which can be
exploited remotely. An attacker can request a talk session with a
especially crafted luser field able to write memory and gain control of
the flow of the in.talkd.

This vulnerability can also be exploited with the field clt_addr and its
resolved name (in conjuction with a DNS).

GOBBLES discovered this bug (Who was first? ;), and reported this to
bugtraq. They did not say solaris was vulnerable.


Technical description:
- ----------------------

Sun Solaris in.talkd is a daemon installed and enabled by default on all
Solaris 2.*  systems. This daemon contains a format string bug in the
following line at in.talkd/announce.c

print_mesg(FILE *tf, CTL_MSG *request, char *remote_machine) {
...
        fprintf(tf, big_buf);
...
}

in.talkd calls print mesg from:

main()->process_request()->do_announce()->announce()->announce_proc()->print_mesg()

This code lacks of format string. Since "big_buf" contains some user supplied
data such as luser, an attacker can query in.talkd server with a luser
field containing a malign format string (%n).

NGSEC has developed an exploit for this vulnerability but we are not going
to release it for obvious reasons (remote root compromise to a widely
spread application).


Proof of vulnerability:
- -----------------------

On the attacker machine:

piscis:~/lots-of-0days/sun-talkd# rusers -l ultra
root     ultra:pts/0                   May 15 14:56      :01 (piscis)
piscis:~/lots-of-0days/sun-talkd# ./talkd-x --test "%#x %#x" ultra root
Solaris (up to 9ea) in.talkd xploit by Fermín J. Serna <fjserna@ngsec.com>
Next Generation Security Technologies
http://www.ngsec.com

Entering test mode
Talk request from "%#x %#x:127.0.0.1" to "root:ultra" sent!.
piscis:~/lots-of-0days/sun-talkd#


On the solaris machine:

ultra:/# uname -a
SunOS ultra 5.7 Generic_106541-19 sun4u sparc SUNW,Ultra-5_10
ultra:/#

Message from Talk_Daemon@ultra at 15:01 ...
talk: connection requested by 0xa 0x14@localhost.
talk: respond with:  talk 0x5 0xffbef980@localhost

ultra:/#


Recommendations:
- ----------------
Chmod 000 in.talkd and wait for sun's patch.


More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/
PGP Key: http://www.ngsec.com/pgp/labs.asc

(c)Copyright 2002 NGSEC. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQE87TttKrwoKcQl8Y4RAi1kAKCanR2fXScZcX96clTjoZk9aKUv4gCfWinP
rG5Yo9qa5vF+kFFUrQu1FUs=
=7OXi
-----END PGP SIGNATURE-----