安全研究
安全漏洞
多家厂商talkd域名查询缓冲区溢出漏洞
发布日期:1997-01-18
更新日期:1997-01-18
受影响系统:
Multiple Vendor talkd(8) |不受影响系统:
- BSDI BSD/OS 2.1
- BSDI BSD/OS 2.0.1
- BSDI BSD/OS 2.0
- BSDI BSD/OS 1.1
- Debian Linux 1.1
- Debian Linux 0.93
- FreeBSD 2.1.6
- FreeBSD 2.1.5
- FreeBSD 2.1
- FreeBSD 2.0.5
- FreeBSD 2.0
- FreeBSD 1.1.5.1
- HP HP-UX 10.9
- HP HP-UX 10.8
- HP HP-UX 10.34
- HP HP-UX 10.30
- HP HP-UX 10.20
- HP HP-UX 10.16
- HP HP-UX 10.10
- HP HP-UX 10.1
- HP HP-UX 10.0
- IBM AIX 4.2
- IBM AIX 4.1
- IBM AIX 3.2
- RedHat Linux 3.0.3
- RedHat Linux 2.1
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 6.2
- SGI IRIX 6.1
- SGI IRIX 6.0.1XFS
- SGI IRIX 6.0.1
- SGI IRIX 6.0
- SGI IRIX 5.3XFS
- SGI IRIX 5.3
- SGI IRIX 5.2
- SGI IRIX 5.1.1
- SGI IRIX 5.1
- SGI IRIX 5.0.1
- SGI IRIX 5.0
- SGI IRIX 4.0.5IPR
- SGI IRIX 4.0.5H
- SGI IRIX 4.0.5G
- SGI IRIX 4.0.5F
- SGI IRIX 4.0.5E
- SGI IRIX 4.0.5D
- SGI IRIX 4.0.5A
- SGI IRIX 4.0.5(IOP)
- SGI IRIX 4.0.5
- SGI IRIX 4.0.4T
- SGI IRIX 4.0.4B
- SGI IRIX 4.0.4
- SGI IRIX 4.0.3
- SGI IRIX 4.0.2
- SGI IRIX 4.0.1T
- SGI IRIX 4.0.1
- SGI IRIX 4.0
Multiple Vendor talkd(8)描述:
- BSDI BSD/OS 4.0
Multiple Vendor talkd(8)
- BSDI BSD/OS 3.0
Multiple Vendor talkd(8)
- Debian Linux 2.0
Multiple Vendor talkd(8)
- Debian Linux 1.3.1
Multiple Vendor talkd(8)
- Debian Linux 1.3
Multiple Vendor talkd(8)
- Debian Linux 1.2
Multiple Vendor talkd(8)
- FreeBSD 3.1
Multiple Vendor talkd(8)
- FreeBSD 3.0
Multiple Vendor talkd(8)
- FreeBSD 2.2.8
Multiple Vendor talkd(8)
- FreeBSD 2.2.7
Multiple Vendor talkd(8)
- FreeBSD 2.2.6
Multiple Vendor talkd(8)
- FreeBSD 2.2.5
Multiple Vendor talkd(8)
- FreeBSD 2.2.4
Multiple Vendor talkd(8)
- FreeBSD 2.2.3
Multiple Vendor talkd(8)
- FreeBSD 2.2.2
Multiple Vendor talkd(8)
- FreeBSD 2.1.7.1
Multiple Vendor talkd(8)
- IBM AIX 4.3
Multiple Vendor talkd(8)
- IBM AIX 4.2.1
Multiple Vendor talkd(8)
- RedHat Linux 5.2
Multiple Vendor talkd(8)
- RedHat Linux 5.1
Multiple Vendor talkd(8)
- RedHat Linux 5.0
Multiple Vendor talkd(8)
- RedHat Linux 4.2
Multiple Vendor talkd(8)
- RedHat Linux 4.1
Multiple Vendor talkd(8)
- RedHat Linux 4.0
Multiple Vendor talkd(8)
- SGI IRIX 6.5
BUGTRAQ ID: 210
talkd是一款客户端/服务器端形式的应用程序,用于各个用户之间以本地和远程的方式进行通信,使用在多种Unix和Linux操作系统平台下。
talkd进程会报告用户另一个用户想建立一个聊天会话,这时,talkd会对对方主机进行域名查询。早期talkd的域名查询存在缓冲区溢出漏洞,远程攻击者可以用精心伪造主机名信息获得root权限。
<*链接:ftp://patches.sgi.com/support/free/security/advisories/19970701-01-PX
http://www.ciac.org/ciac/bulletins/h-22a.shtml
http://www.cert.org/advisories/CA-1997-04.html
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/SA-96:21.[需要添加].asc
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/147&type=0&nav=sec.sba
*>
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 暂时关闭talkd服务。
厂商补丁:
BSDI
----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/U210-035
FreeBSD
-------
FreeBSD已经为此发布了一个安全公告(SA-96:21)以及相应补丁:
SA-96:21:unauthorized access via buffer overrun in talkd
链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/SA-96:21.[需要添加].asc
补丁下载:
ftp://freebsd.org/pub/CERT/patches/SA-96:21
Index: announce.c
===================================================================
RCS file: /cvs/freebsd/src/libexec/talkd/announce.c,v
retrieving revision 1.6
diff -u -r1.6 announce.c
--- announce.c 1997/01/14 06:20:58 1.6
+++ announce.c 1997/01/18 08:27:04
@@ -34,7 +34,7 @@
*/
#ifndef lint
-static char sccsid[] = "@(#)announce.c 8.2 (Berkeley) 1/7/94";
+static char sccsid[] = "@(#)announce.c 8.3 (Berkeley) 4/28/95";
#endif /* not lint */
#include <sys/types.h>
@@ -43,13 +43,17 @@
#include <sys/time.h>
#include <sys/wait.h>
#include <sys/socket.h>
+
#include <protocols/talkd.h>
+
#include <errno.h>
-#include <syslog.h>
-#include <unistd.h>
+#include <paths.h>
#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
-#include <paths.h>
+#include <syslog.h>
+#include <unistd.h>
+#include <vis.h>
extern char hostname[];
@@ -78,7 +82,7 @@
#define max(a,b) ( (a) > (b) ? (a) : (b) )
#define N_LINES 5
-#define N_CHARS 120
+#define N_CHARS 256
/*
* Build a block of characters containing the message.
@@ -100,33 +104,37 @@
char line_buf[N_LINES][N_CHARS];
int sizes[N_LINES];
char big_buf[N_LINES*N_CHARS];
- char *bptr, *lptr, *ttymsg();
+ char *bptr, *lptr, *vis_user;
int i, j, max_size;
i = 0;
max_size = 0;
gettimeofday(&clock, &zone);
localclock = localtime( &clock.tv_sec );
- (void)sprintf(line_buf[i], " ");
+ (void)snprintf(line_buf[i], N_CHARS, " ");
sizes[i] = strlen(line_buf[i]);
max_size = max(max_size, sizes[i]);
i++;
- (void)sprintf(line_buf[i], "Message from Talk_Daemon@%s at %d:%02d ...",
- hostname, localclock->tm_hour , localclock->tm_min );
+ (void)snprintf(line_buf[i], N_CHARS,
+ "Message from Talk_Daemon@%s at %d:%02d ...",
+ hostname, localclock->tm_hour , localclock->tm_min );
sizes[i] = strlen(line_buf[i]);
max_size = max(max_size, sizes[i]);
i++;
- (void)sprintf(line_buf[i], "talk: connection requested by %s@%s",
- request->l_name, remote_machine);
+
+ vis_user = malloc(strlen(request->l_name) * 4 + 1);
+ strvis(vis_user, request->l_name, VIS_CSTYLE);
+ (void)snprintf(line_buf[i], N_CHARS,
+ "talk: connection requested by %s@%s", vis_user, remote_machine);
sizes[i] = strlen(line_buf[i]);
max_size = max(max_size, sizes[i]);
i++;
- (void)sprintf(line_buf[i], "talk: respond with: talk %s@%s",
- request->l_name, remote_machine);
+ (void)snprintf(line_buf[i], N_CHARS, "talk: respond with: talk %s@%s",
+ vis_user, remote_machine);
sizes[i] = strlen(line_buf[i]);
max_size = max(max_size, sizes[i]);
i++;
- (void)sprintf(line_buf[i], " ");
+ (void)snprintf(line_buf[i], N_CHARS, " ");
sizes[i] = strlen(line_buf[i]);
max_size = max(max_size, sizes[i]);
i++;
Index: talkd.c
===================================================================
RCS file: /cvs/freebsd/src/libexec/talkd/talkd.c,v
retrieving revision 1.5
diff -u -r1.5 talkd.c
--- talkd.c 1997/01/14 06:21:01 1.5
+++ talkd.c 1997/01/18 08:26:44
@@ -71,7 +71,7 @@
void timeout();
long lastmsgtime;
-char hostname[MAXHOSTNAMELEN];
+char hostname[MAXHOSTNAMELEN + 1];
#define TIMEOUT 30
#define MAXIDLE 120
For FreeBSD 2.1 based systems:
--- announce.c 1995/05/30 05:46:38 1.3
+++ announce.c 1997/01/18 08:33:55 1.3.4.1
@@ -32,7 +32,7 @@
*/
#ifndef lint
-static char sccsid[] = "@(#)announce.c 8.2 (Berkeley) 1/7/94";
+static char sccsid[] = "@(#)announce.c 8.3 (Berkeley) 4/28/95";
#endif /* not lint */
#include <sys/types.h>
@@ -41,15 +41,18 @@
#include <sys/time.h>
#include <sys/wait.h>
#include <sys/socket.h>
+
#include <protocols/talkd.h>
-#include <sgtty.h>
+
#include <errno.h>
-#include <syslog.h>
-#include <unistd.h>
+#include <paths.h>
#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
-#include <paths.h>
-
+#include <syslog.h>
+#include <unistd.h>
+#include <vis.h>
+
extern char hostname[];
/*
@@ -77,7 +80,7 @@
#define max(a,b) ( (a) > (b) ? (a) : (b) )
#define N_LINES 5
-#define N_CHARS 120
+#define N_CHARS 256
/*
* Build a block of characters containing the message.
@@ -99,33 +102,37 @@
char line_buf[N_LINES][N_CHARS];
int sizes[N_LINES];
char big_buf[N_LINES*N_CHARS];
- char *bptr, *lptr, *ttymsg();
+ char *bptr, *lptr, *vis_user;
int i, j, max_size;
i = 0;
max_size = 0;
gettimeofday(&clock, &zone);
localclock = localtime( &clock.tv_sec );
- (void)sprintf(line_buf[i], " ");
+ (void)snprintf(line_buf[i], N_CHARS, " ");
sizes[i] = strlen(line_buf[i]);
max_size = max(max_size, sizes[i]);
i++;
- (void)sprintf(line_buf[i], "Message from Talk_Daemon@%s at %d:%02d ...",
- hostname, localclock->tm_hour , localclock->tm_min );
+ (void)snprintf(line_buf[i], N_CHARS,
+ "Message from Talk_Daemon@%s at %d:%02d ...",
+ hostname, localclock->tm_hour , localclock->tm_min );
sizes[i] = strlen(line_buf[i]);
max_size = max(max_size, sizes[i]);
i++;
- (void)sprintf(line_buf[i], "talk: connection requested by %s@%s",
- request->l_name, remote_machine);
+
+ vis_user = malloc(strlen(request->l_name) * 4 + 1);
+ strvis(vis_user, request->l_name, VIS_CSTYLE);
+ (void)snprintf(line_buf[i], N_CHARS,
+ "talk: connection requested by %s@%s", vis_user, remote_machine);
sizes[i] = strlen(line_buf[i]);
max_size = max(max_size, sizes[i]);
i++;
- (void)sprintf(line_buf[i], "talk: respond with: talk %s@%s",
- request->l_name, remote_machine);
+ (void)snprintf(line_buf[i], N_CHARS, "talk: respond with: talk %s@%s",
+ vis_user, remote_machine);
sizes[i] = strlen(line_buf[i]);
max_size = max(max_size, sizes[i]);
i++;
- (void)sprintf(line_buf[i], " ");
+ (void)snprintf(line_buf[i], N_CHARS, " ");
sizes[i] = strlen(line_buf[i]);
max_size = max(max_size, sizes[i]);
i++;
Index: talkd.c
===================================================================
RCS file: /home/ncvs/src/libexec/talkd/talkd.c,v
retrieving revision 1.3
retrieving revision 1.3.4.1
diff -u -r1.3 -r1.3.4.1
--- talkd.c 1995/05/30 05:46:44 1.3
+++ talkd.c 1997/01/18 08:33:56 1.3.4.1
@@ -69,7 +69,7 @@
void timeout();
long lastmsgtime;
-char hostname[MAXHOSTNAMELEN];
+char hostname[MAXHOSTNAMELEN + 1];
#define TIMEOUT 30
#define MAXIDLE 120
SGI
---
SGI已经为此发布了一个安全公告(19970701-01-PX)以及相应补丁:
19970701-01-PX:talkd Vulnerability
链接:ftp://patches.sgi.com/support/free/security/advisories/19970701-01-PX
补丁下载:
SGI的匿名ftp服务器:
sgigate.sgi.com (204.94.209.1) ftp.sgi.com
Filename: README.patch.2132
Algorithm #1 (sum -r): 58795 8 README.patch.2132
Algorithm #2 (sum): 22126 8 README.patch.2132
MD5 checksum: 1C16F01A682CC8DB605DEC4C515B3ADD
Filename: patchSG0002132
Algorithm #1 (sum -r): 39922 1 patchSG0002132
Algorithm #2 (sum): 24988 1 patchSG0002132
MD5 checksum: 1BD1683D23D164F954BEE893B3CF8B2F
Filename: patchSG0002132.eoe2_sw
Algorithm #1 (sum -r): 29839 26 patchSG0002132.eoe2_sw
Algorithm #2 (sum): 636 26 patchSG0002132.eoe2_sw
MD5 checksum: EDB8C15F7D22F7104770D591952346E7
Filename: patchSG0002132.idb
Algorithm #1 (sum -r): 54227 1 patchSG0002132.idb
Algorithm #2 (sum): 34895 1 patchSG0002132.idb
MD5 checksum: 82E411637E20CB15E9EEFA3BA330F93D
Filename: README.patch.2133
Algorithm #1 (sum -r): 53634 8 README.patch.2133
Algorithm #2 (sum): 26859 8 README.patch.2133
MD5 checksum: 20FE236BEAC79EC8614BE84B5E291841
Filename: patchSG0002133
Algorithm #1 (sum -r): 05188 1 patchSG0002133
Algorithm #2 (sum): 27188 1 patchSG0002133
MD5 checksum: A4E881E9682DA41DE8897DE71D2EE42C
Filename: patchSG0002133.eoe_sw
Algorithm #1 (sum -r): 24652 27 patchSG0002133.eoe_sw
Algorithm #2 (sum): 6068 27 patchSG0002133.eoe_sw
MD5 checksum: 7ECC472AFE5105D195BCC2B75834D666
Filename: patchSG0002133.idb
Algorithm #1 (sum -r): 45369 1 patchSG0002133.idb
Algorithm #2 (sum): 35211 1 patchSG0002133.idb
MD5 checksum: 5BE2481FB3F325399BEE961AF0FB476C
Sun
---
Sun已经为此发布了一个安全公告(SUN-00147)以及相应补丁:
SUN-00147:Vulnerability in talkd
链接:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/147&type=0&nav=sec.sba
补丁下载:
ftp://sunsolve1.sun.com/pub/patches/patches.html
File Name BSD SVR4 MD5
_______________ ________ _________ ________________________________
104692-01.tar.Z 05337 97 5296 194 0F45E5B9CCAD276AE166CAFFE9110799
104693-01.tar.Z 44228 97 39970 194 32D62F61E350AA6B50FBD2A4BA1059CA
104690-01.tar.Z 26808 97 47810 194 E4360074D6BB751C22406F1962556138
104691-01.tar.Z 07788 97 37926 194 B3519CA85BCD2CD818B1712B655E260F
104701-01.tar.Z 03035 85 2323 169 FCBEEAADE24029B9E5B0FB3CFAEE9CCE
104702-01.tar.Z 14433 85 29616 169 922599D5FF853181A9671070C7213F0D
104698-01.tar.Z 25487 85 52869 169 337DD394B381E4D61BA7E590ED1BBAD7
104998-01.tar.Z 46836 10 15721 19 8C62C5B5E0965BB0E0D3B5B835D98670
104997-01.tar.Z 21171 10 10506 19 DE1AE78A37570FD597AA39844554A3C7
OS version Patch ID
__________ ________
SunOS 5.5.1 104692-01
SunOS 5.5.1_x86 104693-01
SunOS 5.5 104690-01
SunOS 5.5_x86 104691-01
SunOS 5.4 104701-01
SunOS 5.4_x86 104702-01
SunOS 5.3 104698-01
SunOS 4.1.4 104998-01
SunOS 4.1.3_U1 104997-01
浏览次数:23094
严重程度:0(网友投票)
绿盟科技给您安全的保障