[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[irix-security] IRIX talkd vulnerability

To: irix-security@sfu.ca
Subject: [irix-security] IRIX talkd vulnerability
From: Martin Siegert <siegert@sfu.ca>
Date: Mon, 10 Jun 2002 13:15:58 -0700
User-Agent: Mutt/1.2.5.1i

Topic
=====
talkd format string bugs may allow remote root exploit

Problem Description
===================
Irix's /usr/etc/talkd daemon contains a format string
vulnerability.  By carefully constructing arguments to talkd, it is possible
to exploit the system, either through DNS or a remote client.
No local account is required, this vulnerability may be exploited by a
remote user.

More details are available at the following URL:

  http://packetstorm.freezer-burn.org/advisories/misc/talkd.format.txt

Affected Systems
================
Systems running Irix versions earlier than 6.5.10 with talkd running
(i.e., not commented out in /etc/inetd.conf).
These issues have been corrected in the 6.5.10 and later releases of IRIX.

The /usr/etc/talkd daemon is installed by default on IRIX 6.5 systems as
part of eoe.sw.base.

To determine the version of IRIX you are running, execute the following
command:

  # uname -R

That will return a result similar to the following:

  # 6.5 6.5.15f

The first number ("6.5") is the release name, the second ("6.5.15f" in this
case) is the extended release name.  The extended release name is the
"version" we refer to throughout this document.

To see if talkd is installed, execute the following command:

  # versions long | grep talkd
  f 48692    37 eoe.sw.base             usr/etc/talkd

If the command returns a line similar to the above, then talkd is installed,
and depending on the level of IRIX you are running (see below), the system
may be vulnerable to this exploit.

Workaround (recommended!)
=========================
Disable talkd by editing the /etc/inetd.conf file and commenting out the
entry for talkd.  When talkd is enabled, the line looks like this:

  $ grep talkd /etc/inetd.conf
  ntalk   dgram   udp     wait    root    /usr/etc/talkd          talkd

Kill any existing talkd processes, then edit /etc/inetd.conf with your
preferred text editor and put a "#" as the first character of that line,
save the file, and issue a hangup signal to inetd to cause it to reread
/etc/inetd.conf:

  # killall talkd

  # vi /etc/inetd.conf

  Change this:

    ntalk   dgram   udp     wait    root    /usr/etc/talkd          talkd

  To this:

    #ntalk   dgram   udp     wait    root    /usr/etc/talkd          talkd

  # killall -HUP inetd

It is not necessary to reboot the system after making this change.

Solution
========
SGI has not provided patches for this vulnerability. Their recommendation is
to upgrade to IRIX 6.5.10 or a later version of IRIX (later versions are
preferred).

   OS Version     Vulnerable?
   ----------     -----------
   IRIX 6.5          yes
   IRIX 6.5.1        yes
   IRIX 6.5.2        yes
   IRIX 6.5.3        yes
   IRIX 6.5.4        yes
   IRIX 6.5.5        yes
   IRIX 6.5.6        yes
   IRIX 6.5.7        yes
   IRIX 6.5.8        yes
   IRIX 6.5.9        yes
   IRIX 6.5.10        no
   IRIX 6.5.11        no
   IRIX 6.5.12        no
   IRIX 6.5.13        no
   IRIX 6.5.14        no
   IRIX 6.5.15        no
   IRIX 6.5.16        no

Prev by Date: [irix-security] MediaMail vulnerability
Next by Date: Software Library IRIX 6.5.16
Prev by thread: Software Library IRIX 6.5.16
Next by thread: [irix-security] MediaMail vulnerability
Index(es):
- Date
- Thread