talk vulnerabilities
Updated 11/18/02
CVE 1999-0048
CVE 2000-1010
CAN 2002-1194
Impact
A remote attacker could execute arbitrary commands on the
server.
Background
talk is a network service which allows
two users logged into the same or different Unix systems to
have an interactive conversation. The first user initiates
the session by sending a talk request to the recipient.
If the recipient's system is listening, and the recipient
accepts the talk request, then the session is established
and both users' screens are divided in half. One half
is for typing messages, and the other half is for viewing
messages which the other user types.
talkd is the daemon process which listens
for talk requests.
The Problem
5/28/02
Due to a missing format string in the print_mesg
function in some implementations of talkd,
it could be possible for a remote attacker to execute arbitrary
commands by sending a specially crafted talk request. The talkd
implementation included in KDE versions 1 through 3, older Linux
netkits, Solaris 9ea and earlier, UnixWare 7.1.1, Open UNIX 8.0.0, and possibly other implementations are affected by
this vulnerability.
10/16/02
CAN 2002-1194
A separate problem affects NetBSD. Failure to properly check
incoming messages results in a buffer overflow condition
which could lead to root access to the system. NetBSD
1.5 through 1.5.3 branches dated 2002-09-20 or earlier and
NetBSD 1.6 branch dated 2002-10-03 or earlier are affected.
CVE 1999-0048
CVE 2000-1010
Older versions of talkd are affected by
additional vulnerabilities, including a buffer overflow in
responses from DNS servers and a format string in the
dprint_mesg function in announce.cpp.
Resolutions
The talk service usually is not necessary.
Disable it by placing a comment sign (#) before
the line that starts it in /etc/inetd.conf, and
restart the inetd process.
Where can I read more about this?
The format string vulnerability was reported in
Bugtraq,
VulnWatch, and
SCO Security Advisory 2002-SCO.42.
The NetBSD vulnerability was reported in
NetBSD Security Advisory 2002-019.
The older vulnerabilities were reported in
CERT Advisory 1997-04 and an
X-Force Advisory.