安全研究

安全漏洞
多家厂商talkd域名查询缓冲区溢出漏洞

发布日期:1997-01-18
更新日期:1997-01-18

受影响系统:
Multiple Vendor talkd(8) |
    - BSDI BSD/OS 2.1
    - BSDI BSD/OS 2.0.1
    - BSDI BSD/OS 2.0
    - BSDI BSD/OS 1.1
    - Debian Linux 1.1
    - Debian Linux 0.93
    - FreeBSD 2.1.6
    - FreeBSD 2.1.5
    - FreeBSD 2.1
    - FreeBSD 2.0.5
    - FreeBSD 2.0
    - FreeBSD 1.1.5.1
    - HP HP-UX 10.9
    - HP HP-UX 10.8
    - HP HP-UX 10.34
    - HP HP-UX 10.30
    - HP HP-UX 10.20
    - HP HP-UX 10.16
    - HP HP-UX 10.10
    - HP HP-UX 10.1
    - HP HP-UX 10.0
    - IBM AIX 4.2
    - IBM AIX 4.1
    - IBM AIX 3.2
    - RedHat Linux 3.0.3
    - RedHat Linux 2.1
    - SGI IRIX 6.4
    - SGI IRIX 6.3
    - SGI IRIX 6.2
    - SGI IRIX 6.1
    - SGI IRIX 6.0.1XFS
    - SGI IRIX 6.0.1
    - SGI IRIX 6.0
    - SGI IRIX 5.3XFS
    - SGI IRIX 5.3
    - SGI IRIX 5.2
    - SGI IRIX 5.1.1
    - SGI IRIX 5.1
    - SGI IRIX 5.0.1
    - SGI IRIX 5.0
    - SGI IRIX 4.0.5IPR
    - SGI IRIX 4.0.5H
    - SGI IRIX 4.0.5G
    - SGI IRIX 4.0.5F
    - SGI IRIX 4.0.5E
    - SGI IRIX 4.0.5D
    - SGI IRIX 4.0.5A
    - SGI IRIX 4.0.5(IOP)
    - SGI IRIX 4.0.5
    - SGI IRIX 4.0.4T
    - SGI IRIX 4.0.4B
    - SGI IRIX 4.0.4
    - SGI IRIX 4.0.3
    - SGI IRIX 4.0.2
    - SGI IRIX 4.0.1T
    - SGI IRIX 4.0.1
    - SGI IRIX 4.0
不受影响系统:
Multiple Vendor talkd(8)
    - BSDI BSD/OS 4.0
Multiple Vendor talkd(8)
    - BSDI BSD/OS 3.0
Multiple Vendor talkd(8)
    - Debian Linux 2.0
Multiple Vendor talkd(8)
    - Debian Linux 1.3.1
Multiple Vendor talkd(8)
    - Debian Linux 1.3
Multiple Vendor talkd(8)
    - Debian Linux 1.2
Multiple Vendor talkd(8)
    - FreeBSD 3.1
Multiple Vendor talkd(8)
    - FreeBSD 3.0
Multiple Vendor talkd(8)
    - FreeBSD 2.2.8
Multiple Vendor talkd(8)
    - FreeBSD 2.2.7
Multiple Vendor talkd(8)
    - FreeBSD 2.2.6
Multiple Vendor talkd(8)
    - FreeBSD 2.2.5
Multiple Vendor talkd(8)
    - FreeBSD 2.2.4
Multiple Vendor talkd(8)
    - FreeBSD 2.2.3
Multiple Vendor talkd(8)
    - FreeBSD 2.2.2
Multiple Vendor talkd(8)
    - FreeBSD 2.1.7.1
Multiple Vendor talkd(8)
    - IBM AIX 4.3
Multiple Vendor talkd(8)
    - IBM AIX 4.2.1
Multiple Vendor talkd(8)
    - RedHat Linux 5.2
Multiple Vendor talkd(8)
    - RedHat Linux 5.1
Multiple Vendor talkd(8)
    - RedHat Linux 5.0
Multiple Vendor talkd(8)
    - RedHat Linux 4.2
Multiple Vendor talkd(8)
    - RedHat Linux 4.1
Multiple Vendor talkd(8)
    - RedHat Linux 4.0
Multiple Vendor talkd(8)
    - SGI IRIX 6.5
描述:
BUGTRAQ  ID: 210

talkd是一款客户端/服务器端形式的应用程序,用于各个用户之间以本地和远程的方式进行通信,使用在多种Unix和Linux操作系统平台下。

talkd进程会报告用户另一个用户想建立一个聊天会话,这时,talkd会对对方主机进行域名查询。早期talkd的域名查询存在缓冲区溢出漏洞,远程攻击者可以用精心伪造主机名信息获得root权限。

<*链接:ftp://patches.sgi.com/support/free/security/advisories/19970701-01-PX
        http://www.ciac.org/ciac/bulletins/h-22a.shtml
        http://www.cert.org/advisories/CA-1997-04.html
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/SA-96:21.[需要添加].asc
        http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/147&type=0&nav=sec.sba
*>

建议:
临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

* 暂时关闭talkd服务。

厂商补丁:

BSDI
----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/U210-035

FreeBSD
-------
FreeBSD已经为此发布了一个安全公告(SA-96:21)以及相应补丁:
SA-96:21:unauthorized access via buffer overrun in talkd
链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/SA-96:21.[需要添加].asc

补丁下载:

ftp://freebsd.org/pub/CERT/patches/SA-96:21

    Index: announce.c
    ===================================================================
    RCS file: /cvs/freebsd/src/libexec/talkd/announce.c,v
    retrieving revision 1.6
    diff -u -r1.6 announce.c
    --- announce.c      1997/01/14 06:20:58     1.6
    +++ announce.c      1997/01/18 08:27:04
    @@ -34,7 +34,7 @@
      */
    
     #ifndef lint
    -static char sccsid[] = "@(#)announce.c     8.2 (Berkeley) 1/7/94";
    +static char sccsid[] = "@(#)announce.c     8.3 (Berkeley) 4/28/95";
     #endif /* not lint */
    
     #include <sys/types.h>
    @@ -43,13 +43,17 @@
     #include <sys/time.h>
     #include <sys/wait.h>
     #include <sys/socket.h>
    +
     #include <protocols/talkd.h>
    +
     #include <errno.h>
    -#include <syslog.h>
    -#include <unistd.h>
    +#include <paths.h>
     #include <stdio.h>
    +#include <stdlib.h>
     #include <string.h>
    -#include <paths.h>
    +#include <syslog.h>
    +#include <unistd.h>
    +#include <vis.h>
    
     extern char hostname[];
    
    @@ -78,7 +82,7 @@
    
     #define max(a,b) ( (a) > (b) ? (a) : (b) )
     #define N_LINES 5
    -#define N_CHARS 120
    +#define N_CHARS 256
    
     /*
      * Build a block of characters containing the message.
    @@ -100,33 +104,37 @@
            char line_buf[N_LINES][N_CHARS];
            int sizes[N_LINES];
            char big_buf[N_LINES*N_CHARS];
    -   char *bptr, *lptr, *ttymsg();
    +   char *bptr, *lptr, *vis_user;
            int i, j, max_size;
    
            i = 0;
            max_size = 0;
            gettimeofday(&clock, &zone);
            localclock = localtime( &clock.tv_sec );
    -   (void)sprintf(line_buf[i], " ");
    +   (void)snprintf(line_buf[i], N_CHARS, " ");
            sizes[i] = strlen(line_buf[i]);
            max_size = max(max_size, sizes[i]);
            i++;
    -   (void)sprintf(line_buf[i], "Message from Talk_Daemon@%s at %d:%02d ...",
    -   hostname, localclock->tm_hour , localclock->tm_min );
    +   (void)snprintf(line_buf[i], N_CHARS,
    +           "Message from Talk_Daemon@%s at %d:%02d ...",
    +           hostname, localclock->tm_hour , localclock->tm_min );
            sizes[i] = strlen(line_buf[i]);
            max_size = max(max_size, sizes[i]);
            i++;
    -   (void)sprintf(line_buf[i], "talk: connection requested by %s@%s",
    -           request->l_name, remote_machine);
    +
    +   vis_user = malloc(strlen(request->l_name) * 4 + 1);
    +   strvis(vis_user, request->l_name, VIS_CSTYLE);
    +   (void)snprintf(line_buf[i], N_CHARS,
    +       "talk: connection requested by %s@%s", vis_user, remote_machine);
            sizes[i] = strlen(line_buf[i]);
            max_size = max(max_size, sizes[i]);
            i++;
    -   (void)sprintf(line_buf[i], "talk: respond with:  talk %s@%s",
    -           request->l_name, remote_machine);
    +   (void)snprintf(line_buf[i], N_CHARS, "talk: respond with:  talk %s@%s",
    +       vis_user, remote_machine);
            sizes[i] = strlen(line_buf[i]);
            max_size = max(max_size, sizes[i]);
            i++;
    -   (void)sprintf(line_buf[i], " ");
    +   (void)snprintf(line_buf[i], N_CHARS, " ");
            sizes[i] = strlen(line_buf[i]);
            max_size = max(max_size, sizes[i]);
            i++;
    Index: talkd.c
    ===================================================================
    RCS file: /cvs/freebsd/src/libexec/talkd/talkd.c,v
    retrieving revision 1.5
    diff -u -r1.5 talkd.c
    --- talkd.c 1997/01/14 06:21:01     1.5
    +++ talkd.c 1997/01/18 08:26:44
    @@ -71,7 +71,7 @@
     void       timeout();
     long       lastmsgtime;
    
    -char    hostname[MAXHOSTNAMELEN];
    +char    hostname[MAXHOSTNAMELEN + 1];
    
     #define TIMEOUT 30
     #define MAXIDLE 120

    For FreeBSD 2.1 based systems:

    --- announce.c      1995/05/30 05:46:38     1.3
    +++ announce.c      1997/01/18 08:33:55     1.3.4.1
    @@ -32,7 +32,7 @@
      */
    
     #ifndef lint
    -static char sccsid[] = "@(#)announce.c     8.2 (Berkeley) 1/7/94";
    +static char sccsid[] = "@(#)announce.c     8.3 (Berkeley) 4/28/95";
     #endif /* not lint */
    
     #include <sys/types.h>
    @@ -41,15 +41,18 @@
     #include <sys/time.h>
     #include <sys/wait.h>
     #include <sys/socket.h>
    +
     #include <protocols/talkd.h>
    -#include <sgtty.h>
    +
     #include <errno.h>
    -#include <syslog.h>
    -#include <unistd.h>
    +#include <paths.h>
     #include <stdio.h>
    +#include <stdlib.h>
     #include <string.h>
    -#include <paths.h>
    -
    +#include <syslog.h>
    +#include <unistd.h>
    +#include <vis.h>
    +  
     extern char hostname[];
    
     /*
    @@ -77,7 +80,7 @@
    
     #define max(a,b) ( (a) > (b) ? (a) : (b) )
     #define N_LINES 5
    -#define N_CHARS 120
    +#define N_CHARS 256
    
     /*
      * Build a block of characters containing the message.
    @@ -99,33 +102,37 @@
            char line_buf[N_LINES][N_CHARS];
            int sizes[N_LINES];
            char big_buf[N_LINES*N_CHARS];
    -   char *bptr, *lptr, *ttymsg();
    +   char *bptr, *lptr, *vis_user;
            int i, j, max_size;
    
            i = 0;
            max_size = 0;
            gettimeofday(&clock, &zone);
            localclock = localtime( &clock.tv_sec );
    -   (void)sprintf(line_buf[i], " ");
    +   (void)snprintf(line_buf[i], N_CHARS, " ");
            sizes[i] = strlen(line_buf[i]);
            max_size = max(max_size, sizes[i]);
            i++;
    -   (void)sprintf(line_buf[i], "Message from Talk_Daemon@%s at %d:%02d ...",
    -   hostname, localclock->tm_hour , localclock->tm_min );
    +   (void)snprintf(line_buf[i], N_CHARS,
    +           "Message from Talk_Daemon@%s at %d:%02d ...",
    +           hostname, localclock->tm_hour , localclock->tm_min );
            sizes[i] = strlen(line_buf[i]);
            max_size = max(max_size, sizes[i]);
            i++;
    -   (void)sprintf(line_buf[i], "talk: connection requested by %s@%s",
    -           request->l_name, remote_machine);
    +
    +   vis_user = malloc(strlen(request->l_name) * 4 + 1);
    +   strvis(vis_user, request->l_name, VIS_CSTYLE);
    +   (void)snprintf(line_buf[i], N_CHARS,
    +       "talk: connection requested by %s@%s", vis_user, remote_machine);
            sizes[i] = strlen(line_buf[i]);
            max_size = max(max_size, sizes[i]);
            i++;
    -   (void)sprintf(line_buf[i], "talk: respond with:  talk %s@%s",
    -           request->l_name, remote_machine);
    +   (void)snprintf(line_buf[i], N_CHARS, "talk: respond with:  talk %s@%s",
    +       vis_user, remote_machine);
            sizes[i] = strlen(line_buf[i]);
            max_size = max(max_size, sizes[i]);
            i++;
    -   (void)sprintf(line_buf[i], " ");
    +   (void)snprintf(line_buf[i], N_CHARS, " ");
            sizes[i] = strlen(line_buf[i]);
            max_size = max(max_size, sizes[i]);
            i++;
    Index: talkd.c
    ===================================================================
    RCS file: /home/ncvs/src/libexec/talkd/talkd.c,v
    retrieving revision 1.3
    retrieving revision 1.3.4.1
    diff -u -r1.3 -r1.3.4.1
    --- talkd.c 1995/05/30 05:46:44     1.3
    +++ talkd.c 1997/01/18 08:33:56     1.3.4.1
    @@ -69,7 +69,7 @@
     void       timeout();
     long       lastmsgtime;
    
    -char    hostname[MAXHOSTNAMELEN];
    +char    hostname[MAXHOSTNAMELEN + 1];
    
     #define TIMEOUT 30
     #define MAXIDLE 120

SGI
---
SGI已经为此发布了一个安全公告(19970701-01-PX)以及相应补丁:
19970701-01-PX:talkd Vulnerability
链接:ftp://patches.sgi.com/support/free/security/advisories/19970701-01-PX

补丁下载:

SGI的匿名ftp服务器:

sgigate.sgi.com (204.94.209.1) ftp.sgi.com

Filename: README.patch.2132
Algorithm #1 (sum -r): 58795 8 README.patch.2132
Algorithm #2 (sum): 22126 8 README.patch.2132
MD5 checksum: 1C16F01A682CC8DB605DEC4C515B3ADD

Filename: patchSG0002132
Algorithm #1 (sum -r): 39922 1 patchSG0002132
Algorithm #2 (sum): 24988 1 patchSG0002132
MD5 checksum: 1BD1683D23D164F954BEE893B3CF8B2F

Filename: patchSG0002132.eoe2_sw
Algorithm #1 (sum -r): 29839 26 patchSG0002132.eoe2_sw
Algorithm #2 (sum): 636 26 patchSG0002132.eoe2_sw
MD5 checksum: EDB8C15F7D22F7104770D591952346E7

Filename: patchSG0002132.idb
Algorithm #1 (sum -r): 54227 1 patchSG0002132.idb
Algorithm #2 (sum): 34895 1 patchSG0002132.idb
MD5 checksum: 82E411637E20CB15E9EEFA3BA330F93D

Filename: README.patch.2133
Algorithm #1 (sum -r): 53634 8 README.patch.2133
Algorithm #2 (sum): 26859 8 README.patch.2133
MD5 checksum: 20FE236BEAC79EC8614BE84B5E291841

Filename: patchSG0002133
Algorithm #1 (sum -r): 05188 1 patchSG0002133
Algorithm #2 (sum): 27188 1 patchSG0002133
MD5 checksum: A4E881E9682DA41DE8897DE71D2EE42C

Filename: patchSG0002133.eoe_sw
Algorithm #1 (sum -r): 24652 27 patchSG0002133.eoe_sw
Algorithm #2 (sum): 6068 27 patchSG0002133.eoe_sw
MD5 checksum: 7ECC472AFE5105D195BCC2B75834D666

Filename: patchSG0002133.idb
Algorithm #1 (sum -r): 45369 1 patchSG0002133.idb
Algorithm #2 (sum): 35211 1 patchSG0002133.idb
MD5 checksum: 5BE2481FB3F325399BEE961AF0FB476C

Sun
---
Sun已经为此发布了一个安全公告(SUN-00147)以及相应补丁:
SUN-00147:Vulnerability in talkd
链接:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/147&type=0&nav=sec.sba

补丁下载:

ftp://sunsolve1.sun.com/pub/patches/patches.html

File Name         BSD        SVR4         MD5
_______________   ________   _________    ________________________________
104692-01.tar.Z   05337 97   5296 194     0F45E5B9CCAD276AE166CAFFE9110799
104693-01.tar.Z   44228 97   39970 194    32D62F61E350AA6B50FBD2A4BA1059CA
104690-01.tar.Z   26808 97   47810 194    E4360074D6BB751C22406F1962556138
104691-01.tar.Z   07788 97   37926 194    B3519CA85BCD2CD818B1712B655E260F
104701-01.tar.Z   03035 85   2323 169     FCBEEAADE24029B9E5B0FB3CFAEE9CCE
104702-01.tar.Z   14433 85   29616 169    922599D5FF853181A9671070C7213F0D
104698-01.tar.Z   25487 85   52869 169    337DD394B381E4D61BA7E590ED1BBAD7
104998-01.tar.Z   46836 10   15721 19     8C62C5B5E0965BB0E0D3B5B835D98670
104997-01.tar.Z   21171 10   10506 19     DE1AE78A37570FD597AA39844554A3C7

    OS version          Patch ID
    __________          ________
    SunOS 5.5.1         104692-01      
    SunOS 5.5.1_x86     104693-01      
    SunOS 5.5           104690-01      
    SunOS 5.5_x86       104691-01      
    SunOS 5.4           104701-01      
    SunOS 5.4_x86       104702-01      
    SunOS 5.3           104698-01
    SunOS 4.1.4         104998-01
    SunOS 4.1.3_U1      104997-01

浏览次数:23094
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障