-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ALERT! ALERT! Multiple vendor talkd vulnerability ALERT! ALERT! Forward ******* Certain #phrack op have big mouth and do stuff like /topic #phrack www.bugtraq.org stuff hoping to get greet in advisory. Shut up lamer. GOBBLES Advance Warning System ****************************** fc is heavily ridiculed in next GOBBLES advisory. GOBBLES Advance Warning System ****************************** Next advisory is in comic book format. Vulnerable ********** KDE 1 - all platforms KDE 2 - all platforms KDE 3 - all platforms talkd in older linux netkits (like 0.9). Possibly many other talkd implementations based on drunk student's announce.cpp from 1983. Problem ******* A formatstring vulnerability exist in many talkd implementations. Technical details ***************** In print_mesg(), located in announce.cpp GOBBLES see this piece of newbie code: void print_mesg(FILE * tf, NEW_CTL_MSG * request, const char * remote_machine, int usercfg, int force_no_sound) { .. const char *remotename = gethostbyname(remotemach)->h_name; .. snprintf(buffer, N_CHARS, "%s@%s", request->l_name, remotename); snprintf(line_buf[i], N_CHARS, Options.announce2, buffer); .. if (!(strcmp(localname,remotename))) { snprintf(line_buf[i], N_CHARS, Options.announce3, request->l_name); } else { snprintf(line_buf[i], N_CHARS, Options.announce3, buffer); } .. bptr = big_buf; if (!force_no_sound) /* set if a X announce has been done */ if (sound_or_beep(usercfg)) /* if no sound then : */ *bptr++ = '^G'; /* send something to wake them up */ *bptr++ = '\r'; /* add a \r in case of raw mode */ *bptr++ = '\n'; for (i = 0; i < N_LINES; i++) { /* copy the line into the big buffer */ lptr = line_buf[i]; while (*lptr != '\0') *(bptr++) = *(lptr++); .. fprintf(tf, big_buf); .. Unless reader havent spotted offending code yet, it's the fprintf() line! In top of file announce.cpp GOBBLES read: * Copyright (c) 1983 Regents of the University of California. * All rights reserved. License go on to say crap about "no code based off this can be promoted without the prior consent of the copyright holder. . ." and other junk, so GOBBLES will not do promotion of exploit code for this vulnerability, just will make fun of sloppy code. The Origin of syslog() Bug ************************** During extensive grep syslog stuff of code, GOBBLES search back and discover some thing of historical importance concerning where original syslog() bug come from, and here is what GOBBLES Security did discover. The test code that comes with sysklogd-1.4.1 contains unformatted syslog() calls. syslog_tst.c: ... if (argc > 1) { if ( (*argv[1] == '-') && (*(argv[1]+1) == '\0') ) { while (!feof(stdin)) if ( fgets(bufr, sizeof(bufr), stdin) != (char *) 0 ) { if ( (nl = strrchr(bufr, '\n')) != (char *) 0) *nl = '\0'; syslog(LOG_INFO, bufr); logged += strlen(bufr); if ( logged > 1024 ) { sleep(1); logged = 0; } } } else while (argc-- > 1) syslog(LOG_INFO, argv++[1]); } ... Of course, Paul Vixie's ftpd from ftp.vix.com contains more format bugs that scut's paper on the subject, but what do you expect from someone like Vix? Real point to all of this is to show that syslogd programmer try to encourage poor use of syslog() not understanding ramficiation of problems that evolve from that style people learned in later years and such. On other note, check out ftp.vix.com/pub/vixie/ftpd.tar.gz if you need something to laugh at... Workaround ********** 1. Find and chmod -x all *talkd*-binaries until official patch is released. 2. sed 's/fprintf\(tf, big_buf\);/fprintf\(tf, "%s", big_buf\);/' History ******* Similar hole discovered and disclosed by antisec/K2 in OpenBSD, that was said to not be exploitable... (unexploitable? hehehe, no strvis wizards?) That one only take GOBBLES Security researchers three hours to write fully automated, multiarchitecture remote root exploit, but whatever, writing it was completely trivial for us. . . very beginner stuff. Closing ******* Huge, big, important announcements coming soon from GOBBLES Security. . . GOBBLES suggest staying bright and attentive for details concerning these things which will be announced and made public very soon. . . Funny Links *********** * Pine Internet Advisory: Setuid application execution may give local root in FreeBSD Patrick Oonk (Mon Apr 22 2002 - 03:58:25 CDT) http://archives.neohapsis.com/archives/bugtraq/2002-04/0305.html * Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio Theo de Raadt (Mon Apr 22 2002 - 14:23:51 CDT) http://archives.neohapsis.com/archives/bugtraq/2002-04/0304.html (In this post, Theo try to make fun of Patrick saying that only reason Patrick find this bug is that Theo find it first and patch Theo-BSD with it, showing off that he smarter than everyone else as usual (well, not that Theo smarter than anyone else really, since even the average scriptkid find owning OpenBSD to be trivial task, but in he own mind he > * . . .)) * OpenBSD local DoS and root exploit fozzy@dmpfrance.com (Thu May 09 2002 - 08:11:31 CDT) http://archives.neohapsis.com/archives/bugtraq/2002-05/0066.html (In this advisory, Fozzy show that Theo attempt to patch bug in OpenBSD was completely vain and that OpenBSD was still vulnerable to same bug as FreeBSD, and that Theo really just lamer with ego who not good enough to be on NetBSD team anymore. Notice greets to GOBBLES, hehe, thankx Fozzy! Come to defcon for free tshirt, hehe :PPPPPppppp!) Congradulations to Theo for making himself look like asshole. Everyone already know that Theo lame, but few realize that he also is just asshole. . . http://udp.livejournal.com -- #phrack's finest, grab your magic decoder ring and pray to sweet jebus that you'll be able to understand just a single word... Greetz ****** The Bronc Buster, who have nothing better to do at important cisco.com job than to beg GOBBLES for attention. You too, like op in #phrack, need to shut up. No tshirt for you, homie. You are not funny, at all... GOBBLES Security "Often imitated, never cloned." Hush provide the worlds most secure, easy to use online applications - which solution is right for you? HushMail Secure Email http://www.hushmail.com/ HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/ Hush Business - security for your Business http://www.hush.com/ Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wlwEARECABwFAjzqYcMVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPeyYA nindTi9nbenpuRb3qKHutKbud4TWAJsH9C2wj5gVEFoqrd7IQ78QuEbeAA== =ve5l -----END PGP SIGNATURE-----