[17069] in bugtraq
talkd [WAS: Re: OpenBSD Security Advisory]
daemon@ATHENA.MIT.EDU (Chris Evans)
Thu Oct 5 23:29:35 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0010052329180.29675-100000@ferret.lmh.ox.ac.uk>
Date: Fri, 6 Oct 2000 00:00:16 +0100
Reply-To: Chris Evans <chris@SCARY.BEASTS.ORG>
From: Chris Evans <chris@SCARY.BEASTS.ORG>
X-To: K2 <ktwo@KTWO.CA>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <39DADCB7.4E416D8B@ktwo.ca>
On Wed, 4 Oct 2000, K2 wrote:
[...]
> OK, hold on a second.... The following "snip snip" is a little long...
> and I have not verified it, (a guaranteed DoS though).
>
> talkd, A DEFAULT service.
[...]
> *bptr = '\0';
> fprintf(tf, big_buf);
> fflush(tf);
This is in announce.c, function print_mesg(). "big_buf" contains, as far
as I can see, data supplied by the remote (for example the remote
username). %'s don't seem to get filtered
So, seeing this post I was concerned :-)
I've investigated things from a Linux point of view. Most Linux vendors
will be shipping talkd from the Linux netkit. Also, most Linux vendors
listen on the talkd port by default! Good news - current Linux netkit is
NOT VULNERABLE. Older versions (2+ yrs) are.
More version details;
RedHat-7.0; talk-0.17-7.src.rpm: SAFE (write(2) used)
...
*bptr = 0;
write(fd, big_buf, strlen(big_buf));
...
RedHat-6.0; talk-0.11-1.src.rpm: SAFE (write(2) used)
...
*bptr = 0;
write(fd, big_buf, strlen(big_buf));
...
RedHat-5.2; ntalk-0.10-4.src.rpm: POSSIBLY VULNERABLE
(fprintf(3) used buggily)
...
*bptr = 0;
fprintf(tf, big_buf);
fflush(tf);
...
Cheers
Chris
